I have a quandry on some of our web servers that I'm hoping some of you sys admins out there can clarify. The quandry is that some of our Windows Server 2003 (SP2) web servers have some routing table entries that have just appeared for no apparent reason. Below is a routing table from one server with private address space changed to protect the innocent (pardon the formatting):

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.200.0.1       10.200.70.1     10
        10.200.0.0      255.255.0.0       10.200.70.1       10.200.70.1     10
       10.200.70.1  255.255.255.255        127.0.0.1        127.0.0.1     10
      10.200.70.10  255.255.255.255        127.0.0.1        127.0.0.1     10
      10.200.70.15  255.255.255.255        127.0.0.1        127.0.0.1     10
      10.200.70.20  255.255.255.255        127.0.0.1        127.0.0.1     10
      10.200.70.25  255.255.255.255        127.0.0.1        127.0.0.1     10
      10.200.70.26  255.255.255.255        127.0.0.1        127.0.0.1     10
      10.200.70.27  255.255.255.255        127.0.0.1        127.0.0.1     10
   10.255.255.255  255.255.255.255       10.200.70.1       10.200.70.1     10
    85.198.62.149  255.255.255.255        10.200.0.1       10.200.70.1     10
     86.108.68.98  255.255.255.255        10.200.0.1       10.200.70.1     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
    203.162.71.30  255.255.255.255      10.200.0.254       10.200.70.1      1
        224.0.0.0        240.0.0.0       10.200.70.1       10.200.70.1     10
  255.255.255.255  255.255.255.255       10.200.70.1       10.200.70.1      1
Default Gateway:         10.200.0.1

Notice the entries to public IP addresses towards the end of the routing table. They have NOT been added manually and they are no where near our public address space. notice how some entries point to one gateway (10.200.0.1 - a L3 switch) and some to another (10.200.0.254 - the firewall) despite the default gateway being the L3 switch. The machine has no special public addresses bound to its adapters and it is behind a NAT SPI firewall. Only ports TCP/80, TCP/443, and TCP/21 are open to the world. Of course, my first thoughts prompted a changing of my pants but after perusing the server logs, these IP addresses were exercising normal activity. How would these get added and why would they be there? Could this be suspicious activity? If it is malicious, how could someone add routing table entries from the ports that are open? Am I overlooking something obvious?

Maybe your server is running routing software? RRAS has OSPF and RIP, and if there are instructions in the net (from the switches) this could be automatically added.

In general your upstream provider should filter private addresses out anyway, and your firewall should too, so the imact should be limited.

I would check RRAS for routing protocols. Maybe your administration of the L3 switch got the switch turn out RIP packets, and your server is listening to them.