cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Matthew_Schlesi
Engaged Sweeper
Hi all!

I've done the obligatory search and didn't find anything related, so here goes first post:

I have three assets that have shown up via Asset Radar, all apparently Google IPs and hostnames, e.g.:

- Hostname: sfo03s18-in-f14.1e100.net
- IP: 172.217.164.110

Lansweeper has categorized the "devices" as webservers (which I understand from googling can be a default/fallback label) with the model "gws" (lowercase), which I read as "Google WebServer." 😉

I don't understand a few things:

1. How were these "devices" detected? Were they remotely connected to my host machine? There is no evidence that they were connected to my router. So perhaps they are some kind of program or bot that's phoning home from my Lanserver host? If so, why does Asset Radar think it's an external IP if the traffic is originating from my local machine?

2. When I run a scan, Lansweeper "sees" the asset each time (there are three in fact). What does it mean that Lastseen is the latest scan, when there is no evidence of a remote connection to the external IP?

I've done quite a bit of diagnostic testing over the last few days to try and isolate the so-called "rogue devices." Ultimately, I disconnected all machines from my LAN, turned off the WAN, and did a scan from the host machine -- again each of the three external "devices" came up as seen during the scan.

I've also blocked all outbound traffic to the IPs (at the router) and confirmed by failed pings, and yet...wait for it...they all show up during an active scan. Odd. Perhaps I'm confused, but up to this point I'd understood that when a device/IP shows up with a current Lastseen timestamp, that means the device is currently connected (to the host) and can be...you know, scanned. No comprendo.

I'm having a lot of trouble understanding what this result means, in the context of (a) no external connection, (b) no other network device connection (other than the router, which has no WAN), and (c) all other devices and IPs that Lansweeper normally sees (when connected) are limited to my local network.

An option is to delete the Asset Radar entries and see if they show up again from an AR scan. However, I'd like to keep the data live and in the system as I continue to run diagnostics. Rather not delete or export and delete for diagnostic purposes.

Has anyone seen something similar? Any suggestions? I thought perhaps one of the 10,000 smart-home devices I own (many of them Google-related) might be running some kind of server, but running a scan with no WAN or other local devices connected rules that theory out, IIUC what active scanning and seeing/detecting a device actually means.

PS An INTERESTING footnote: I'm running Asuswrt-Merlin on the router and checked out the connection table -- turns out several of my local machines are connected to each of the remote IPs in question. Actually, all of my machines are connected to DOZENS of external IPs of course, so I'm not sure what that proves. However, it suggests that perhaps Asset Radar stumbled on to a few of those "innocent" conversations and miscategorized them? Just a hunch? Is it plausible?
1 REPLY 1
Matthew_Schlesi
Engaged Sweeper
I truly hate to be "the guy who answers his own question" (just seems naïve and tacky, plus you look kinda misbegotten), but since my question went unanswered and I have a new insight, I'll post it here for posterity.

To recap: my OP basically asked how a bunch of remote or external IPs could show up during an ordinary scan (or more accurately, a mix of "ordinary" and asset-radar scans). Not sure if I mentioned it before (I mean: WHO would read such a long post anyway?) but running whois on the IPs points to google-owned hostnames, which doesn't say much. In fact, it's trivially easy to buy some google server space and host naughtiness, so that's maybe a red flag in the end.

Anyhow...

Do any of you recognize the Chrome extension, The Great Suspender? Seems it got itself into quite a bit of controversy late last year:

https://github.com/greatsuspender/thegreatsuspender/issues/1263

After discovering that the extension seemed to be collecting browsing data (and maybe more) I of course uninstalled it months ago. However, I did leave open a number of suspended tabs, which perhaps continued to maintain a connection to the remote server that collected browsing data (see the github link below for a very detailed discussion of what might have been collected).

So my latest hunch is that THOSE are the IPs I'm seeing as scan results. In any case I've gone through and removed the offending URLs so all my tabs are pointing back to their original pages (and, presumably, not to some remote server or who-knows-what).

I'll wait a few days and if I see those locations no longer showing up as "active" Lanserver, I'll consider this issue closed.