ping resolves all host names on internal lan to an external ip: 126.96.36.199
Posted on 2007-08-01
I have a network with 15 client workstations - there is
a mix of XP, 2000 and Vista clients and one Windows 2003 Server. The
server is acting as Domain Controller and running terminal server, but is not acting as DNS server or
WINS Server. Most of the clients use Remote Desktop to access their
shared inventory/accounting app. In fact the clients are configured as joining the workgroup, but
not to join the domain, but everyone logs in as active users on the server. So really, the
server is not being completely used as a domain controller.
I have a linksys router and a static WAN ip address assigned by the cable internet
provider (68.xx.xx.xx). Almost all of the clients just use automatic dhcp addressing and get
their DNS server addresses from the router which is configured with the dns addresses
provided by Cox (cable/internet provider). A few of the machines have
statically assigned ip addresses (including the server).
All machines have ip addresses assigned in the range 192.168.1.xxx.
All of the machines simply use the DNS pulled from the router (the 68.xx.xx.xx number
(I can't remember it of the top of my head), that's why I'm not filling it in) OR in the
case of the statically assigned machines - I used those same DNS addresses.
Of the 15 clients; 3 of them are having this identical problem - ONE of
those 3 is the server:
no matter what hostname you ping, it resolves to this ip address:
ping warranty it returns 188.8.131.52
ping server it returns 184.108.40.206 - ON ALL host names.
you get the picture.
ALL of the machines (including the 3 with the problem above) can get
on the internet AND the clients can use Remote Desktop. The two problem
machines must access the server through the ip address directly (rather
than the host name) - still almost everything functions correctly
except intermittent printer issues going through the remote desktop.
All of the other machines access the server using the host name.
I have tried various tactics to clear the arp cache, run nbtstat - RR,
flush the dns, etc. on these machines. This problem cropped up
about a month ago - on all 3 machines at once.
I have run virus checks AND root kit revealers - I haven't found anything
yet on these machines - I have run the microsoft root kit revealer
and I am not quite sure what I am looking for here - exactly, but
nothing seems totally off AND other brand root kit revealers show up
clean. After a bit of checking around, it started seeming
like I have some kind of arp cache poisoning or Man in the Middle issue
i.e. all of the traffic is going to some machine at that above IP
address before it comes back. While trying to troubleshoot this, I have also
replaced the router (this morning) - the old router had been occassionally
assigning duplicate ip addresses - so I figured it wouldn't hurt to replace
it anyhow. This required me to take down the entire network.
It also required Cox to flush the arp cache on their end to provision
the new router.
When this happened; I made sure that the other problem machines were
turned off and disconnected every switch, modem, etc.
When I rebooted the server. I also brought back up one of the problem
machines (and then the other) - but not the internet connection. When I ran the ping
INTERNALLY without an internet connection. Everything pinged correctly
on all 3 machines - though the return on the ping was very slow.
It was only after I reinitiated the connection to the internet that
all 3 machines almost immediately started the same behavior (returning
220.127.116.11 as a response to a ping of any host name on the network.
On all 3 of these machines, I can go to Network Places and see
all of the host names of the computers on the network AND get into
the resources. The only real issues apparent to the end user
have to do with a printer that intermittently disconnects through
remote desktop and that I have to use the direct IP address to
access the server through remote desktop ONLY on the 2 problem machines.
This sounds like it has to be a trojan or something hacked into on
these computers, but I haven't found any virus program yet that has
identified any virus or malware.
Does this seem familiar to anyone. What else can I look for?
Thank you for your help!