nwarchco
asked on
We are running into a problem where client computers are an incorrect DHCP sever in thier IP configuration.
Our network has a DHCP server at address 10.0.2.1. clients that have not rebooted in the last 24 hours are showing the proper DHCP and DNS servers in their IP config. But, on a system that was rebooted, it is showing up with a DHCP server of 10.0.2.252 (our WAN network Router). Quest is assuring us that there are no DHCP settings on their router
They are also getting DNS server information for address's outside our netwrok
64.86.133.51 and 63.243.173.162
A ping or HTTP connection shows the device as our Qwest Adtran router as expected.
Our internet router is showing some log entries
Deny IP spoof From (10.0.2.255) to 63.243.133.51 on iterface inside
How can i determine where the client computers are getting the incorrect DHCP server?
They are also getting DNS server information for address's outside our netwrok
64.86.133.51 and 63.243.173.162
A ping or HTTP connection shows the device as our Qwest Adtran router as expected.
Our internet router is showing some log entries
Deny IP spoof From (10.0.2.255) to 63.243.133.51 on iterface inside
How can i determine where the client computers are getting the incorrect DHCP server?
wantabe2
Is 64.86.133.51 and 63.243.173.162 a Qwest DNS server?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
those address's are not from quest. one come from Teleglobe some where in Canada and the other from New Jersey. I'm in Seattle. WA.
I'll check Dhcploc.exe.
I'll check Dhcploc.exe.
Yes & if the results come back showing the router is handing out leases, I'd call Qwest & go up the food chain if you know what I mean. They seam to fix problems faster when you mention billing them for downtime :)
Dhcploc.exe should show you what's out there. Would it be possible to say someone may have brought up a wireless router on your LAN? If so, you can download & run netstumbler to track it dowm
www.netstumbler.com
www.netstumbler.com
Oddly enough, my company is experiencing the exact same thing. We traced the DHCP server using Wireshark to a PC on one of our subnets that appears to be offering unauthorized DHCP responses. Googling the IP addresses of the DNS servers is 64.86.133.51 and 63.243.173.162 reveals only this experts-exchange site and this one topic. I haven't found it anywhere else, but it stinks of malware. Currently we've disabled the PC.
I'm experiencing the same problem on one of my subnets. We are starting to think it's malware - a handful of PC's were having this problem - now it is just one.
I was able to find additioanl info on the the IP by going to:
http://www.ip-adress.com/reverse_ip/64.86.133.51 - not too helpful yet.
I was able to find additioanl info on the the IP by going to:
http://www.ip-adress.com/reverse_ip/64.86.133.51 - not too helpful yet.
ASKER
I was able to trace down some information through our router.
We were getting several "spoofed" IP addresss attempts through our router.
>Deny IP spoof from (10.0.2.255) to 64.86.133.51 on interface inside
The spoofs were coming on the inside of our router linking to the address's listed above.
One listed address was from an old subnet for our electrical department.
>Deny IP spoof from (10.0.2.255) to 10.0.3.3on interface inside
I ran Trcert on the IP's and found a link to one or the PC's inour electrical department as well.
When we shut down that machine, other PC's were getting the correct DHCP and DNS server information.
When we had it turned on, a test PC would get the incorrect DHCP server listed and DNS servers listed above.
It appears the user has a program that allows his PDA to connect through his PC. We are working with him now to remove the program and restore order in our network.
We were getting several "spoofed" IP addresss attempts through our router.
>Deny IP spoof from (10.0.2.255) to 64.86.133.51 on interface inside
The spoofs were coming on the inside of our router linking to the address's listed above.
One listed address was from an old subnet for our electrical department.
>Deny IP spoof from (10.0.2.255) to 10.0.3.3on interface inside
I ran Trcert on the IP's and found a link to one or the PC's inour electrical department as well.
When we shut down that machine, other PC's were getting the correct DHCP and DNS server information.
When we had it turned on, a test PC would get the incorrect DHCP server listed and DNS servers listed above.
It appears the user has a program that allows his PDA to connect through his PC. We are working with him now to remove the program and restore order in our network.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I work for an IT company, one of our customers has the same issue.
They logged a call because their users were getting incorrect IP addresses via DHCP. The (NT4!) DHCP server had an erroneous entry in the scope which we cleaned up, but the problem persisted. On checking the clients, they're showing the DHCP Server as the IP address of the router and the exact same DNS entries as the original poster here.
Whether the Scope issue was related or a just big coincidence I can't tell, but it might be worth checking.
They logged a call because their users were getting incorrect IP addresses via DHCP. The (NT4!) DHCP server had an erroneous entry in the scope which we cleaned up, but the problem persisted. On checking the clients, they're showing the DHCP Server as the IP address of the router and the exact same DNS entries as the original poster here.
Whether the Scope issue was related or a just big coincidence I can't tell, but it might be worth checking.
Im having the same issue...happening to several machines. The dhcp server shows the ip of the router and the same dns entries as listed above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok here is some more info. DHCPlocator was a great utility. Basically I ran it on my laptop since I wa son the subnet having the issue. The syntac was as such:
dhcploc /p 10.1.15.90 10.1.20.3
the first ip is the ip addres sof your nic and the second is the ip of your valid dhcp server ...this is out in there so it ignores to your valid dhcp server
as soon as I ran it I did an ip release and renew and I got the following output
13:11:38 OFFER (IP)10.1.15.90 (S)10.1.15.1 (S1)10.1.15.103 ***
13:11:38 ACK (IP)10.1.15.90 (S)10.1.15.1 (S1)10.1.15.103 ***
The *** represent an uathorized dhcp server. We were able to track down the pc and take it offline. Everything has been fine since. I am going to investigate the pc and will report on what was running on the machine that may have caused this.
Thanks to dstewartjr for making the recommendation about using dhcploc. I have vista but I just copied the dhcploc.exe file from a windows 2003 box and ran it on my vista machine just fine.
Thanks.
Patrick
dhcploc /p 10.1.15.90 10.1.20.3
the first ip is the ip addres sof your nic and the second is the ip of your valid dhcp server ...this is out in there so it ignores to your valid dhcp server
as soon as I ran it I did an ip release and renew and I got the following output
13:11:38 OFFER (IP)10.1.15.90 (S)10.1.15.1 (S1)10.1.15.103 ***
13:11:38 ACK (IP)10.1.15.90 (S)10.1.15.1 (S1)10.1.15.103 ***
The *** represent an uathorized dhcp server. We were able to track down the pc and take it offline. Everything has been fine since. I am going to investigate the pc and will report on what was running on the machine that may have caused this.
Thanks to dstewartjr for making the recommendation about using dhcploc. I have vista but I just copied the dhcploc.exe file from a windows 2003 box and ran it on my vista machine just fine.
Thanks.
Patrick
Your welcome, glad to get it sorted out for you.