ok.. wtf is this..
I have a watchguard UTM device with Mobile User VPN (MUVPN). The users have either verizon aircards or connect up to their home broadband. I've recently noticed these entries in the watchguard logs:
May 25 10:03:36 fw admd[1687]: msg_id="1100-000D" ADM auth MUVPN user [fredflintstone@Active Directory] from 8.15.247.112 Accepted May 25 10:05:04 fw admd[1687]: msg_id="1100-000D" ADM auth MUVPN user [barneyrubble@Active Directory] from 8.15.247.112 Accepted May 25 10:13:08 fw admd[1687]: msg_id="1100-000D" ADM auth MUVPN user [pebbles@Active Directory] from 8.15.247.112 Accepted May 25 10:13:43 fw admd[1687]: msg_id="1100-000D" ADM auth MUVPN user [bambam@Active Directory] from 8.15.247.112 Accepted Each of those entries is followed by one that looks like this, which contains their actual IP address:
May 25 10:03:36 fw sessiond[1689]: msg_id="3E00-0002" IPSec VPN user fredflintstone@Active Directory from 75.x.x.x logged in a grep of my log shows that just about every user connecting is coming from that ip address - but then, the actual IPsec login comes from their real IP address...
wtf is 8.15.247.112?
A traceroute ends at a router called "Ribbit-Corp". I have no idea who they are or what they are doing and how they are somehow involved in the transaction - but I don't like it.
Any thoughts?
[link] [comment]