?
Solved

We are running into a problem where client computers are an incorrect DHCP sever in thier IP configuration.

Posted on 2009-02-20
16
Medium Priority
?
4,143 Views
Last Modified: 2012-06-27
Our network has a DHCP server at address 10.0.2.1. clients that have not rebooted in the last 24 hours are showing the proper DHCP and DNS servers in their IP config. But, on a system that was rebooted, it is showing up with a DHCP server of 10.0.2.252 (our WAN network Router). Quest is assuring us that there are no DHCP settings on their router
They are also getting DNS server information for address's outside our netwrok
64.86.133.51 and 63.243.173.162
A ping or HTTP connection shows the device as our Qwest Adtran router as expected.

Our internet router is showing some log entries  
Deny IP spoof From (10.0.2.255) to 63.243.133.51 on iterface inside

How can i determine where the client computers are getting the incorrect DHCP server?
0
Comment
Question by:nwarchco
  • 3
  • 3
  • 2
  • +6
16 Comments
 
LVL 15

Expert Comment

by:wantabe2
ID: 23697315
Is 64.86.133.51 and 63.243.173.162 a Qwest DNS server?
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 200 total points
ID: 23697316
Try
 
Dhcploc.exe is a command-line tool that is part of the Windows Support
Tools found in the \Support\Tools folder on your Windows XP product CD
and it can be used to display all DHCP servers that are active on the
local subnet. Dhcploc.exe has been around since Windows NT 4.0 and it
works by sending out DHCPREQUEST messages and displaying the IP
addresses of the DHCP servers that responded with DHCPACK. You can find
the syntax of this tool in the Help file that is installed when you
install the Support Tools on your machine.

http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en 
0
 

Author Comment

by:nwarchco
ID: 23697325
those address's are not from quest. one come from Teleglobe some where in Canada and the other from New Jersey. I'm in Seattle. WA.

I'll check Dhcploc.exe.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 15

Expert Comment

by:wantabe2
ID: 23697332
Yes & if the results come back showing the router is handing out leases, I'd call Qwest & go up the food chain if you know what I mean. They seam to fix problems faster when you mention billing them for downtime :)
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 23697345
Dhcploc.exe should show you what's out there. Would it be possible to say someone may have brought up a wireless router on your LAN? If so, you can download & run netstumbler to track it dowm

www.netstumbler.com
0
 

Expert Comment

by:jpflug
ID: 23703458
Oddly enough, my company is experiencing the exact same thing.  We traced the DHCP server using Wireshark to a PC on one of our subnets that appears to be offering unauthorized DHCP responses.  Googling the IP addresses of the DNS servers is 64.86.133.51 and 63.243.173.162 reveals only this experts-exchange site and this one topic.  I haven't found it anywhere else, but it stinks of malware.  Currently we've disabled the PC.
0
 

Expert Comment

by:tomsyr
ID: 23711923
I'm experiencing the same problem on one of my subnets. We are starting to think it's malware - a handful of PC's were having this problem - now it is just one.
I was able to find additioanl info on the the IP by going to:
http://www.ip-adress.com/reverse_ip/64.86.133.51 - not too helpful yet.
0
 

Author Comment

by:nwarchco
ID: 23712399
I was able to trace down some information through our router.
We were getting several "spoofed" IP addresss attempts through our router.
>Deny IP spoof from (10.0.2.255) to 64.86.133.51 on interface inside
The spoofs were coming on the inside of our router linking to the address's listed above.
One  listed address was from an old subnet for our electrical department.
>Deny IP spoof from (10.0.2.255) to 10.0.3.3on interface inside
I ran Trcert on the IP's and found a link to one or the PC's inour electrical department as well.
When we shut down that machine, other PC's were getting the correct DHCP and DNS server information.
When we had it turned on, a test PC would get the incorrect DHCP server listed and DNS servers listed above.

It appears the user has a program that allows his PDA to connect through his PC. We are working with him now to remove the program and restore order in our network.

0
 

Assisted Solution

by:ra9718
ra9718 earned 600 total points
ID: 23718079
You may also want to check out the flush.m virus.  It has a similar behavior and can be difficult to find.

http://www.experts-exchange.com/Microsoft/Server_Applications/Q_24163597.html
0
 

Assisted Solution

by:RedLancer
RedLancer earned 400 total points
ID: 23718656
We have just isolated a workstation on one vlan that is infected with a derivative of W32.Tidserv.  Symptoms are as you describe and only a Wireshark capture found the ip address of the infected machine that was responding to DHCP requests.  Worm detail can be found here : http://www.symantec.com/security_response/writeup.jsp?docid=2008-121016-4048-99&tabid=2 

It's main function appears to be misdirection.  I am having all my affected users review their internet banking etc and change passwords as a precaution.  The compromised machine, being local on the vlan would respond to DHCP requests with the correct default gateway and subnet mask, it would return the ip address you last used ... but give it's selected DNS entries instead.  Which means when you go to google ... the address returned from one of these DNS servers is NOT google after all.  Just imaging going to "myInternetBanking" site and getting your credentials recorded.  

As I say this appears to be a "clone" of the original as we run up-to-date AV and only a couple of the multitude of files were isolated.  ( the autorun.inf file that points to the .com file in Recycler was left ... as were a number of hidden dlls)
I note also that Symantec treat this as "Risk level 1 - Very Low" - I assume from the fact that it travels by removable media.  

0
 

Assisted Solution

by:ra9718
ra9718 earned 600 total points
ID: 23720488
I posted the wrong link to the virus: http://technofriends.in/2009/02/09/flushm-trojan-can-fake-dhcp-server/

What we were seeing is users would get dhcp ip addresses, but they were handed out by the infected machine and the dns servers would be set to: 64.86.133.51 and 63.243.173.162,  When doing an ipconfig/all the dhcp server list would show as dif't addresses sometimes the default gateway.
0
 

Expert Comment

by:UKCougar
ID: 23734042
I work for an IT company, one of our customers has the same issue.

They logged a call because their users were getting incorrect IP addresses via DHCP.  The (NT4!) DHCP server had an erroneous entry in the scope which we cleaned up, but the problem persisted.  On checking the clients, they're showing the DHCP Server as the IP address of the router and the exact same DNS entries as the original poster here.  

Whether the Scope issue was related or a just big coincidence I can't tell, but it might be worth checking.
0
 
LVL 1

Expert Comment

by:PatrickPinto
ID: 23735787
Im having the same issue...happening to several machines. The dhcp server shows the ip of the router and the same dns entries as listed above.
0
 

Accepted Solution

by:
nwarchco earned 0 total points
ID: 23737098
We have found similar conditions for the Flush.M infection on the culprit computer. But i have not found a way to identify or remove the virus. We pulled the hard drive and reimaged the system so the user coule get back to work.

How we found the culprit: After seeing the Spoof denials in our router I ran a tracert on all IP's that were listed.
64.86.133.51
63.243.173.162
10.0.3.3
When I ran a tracert on 10.0.2.255 it listed the IP of one of our machines in the route.
I matched the ip to the computer name and we investigated.
When the machine was active, other machines would get the wrong DHCP/DNS information
When it was off, other machines recived the proper DHCP/DNS information.

The client machines would get the 64.86.133.51 and 63.243.173.162 address' for DNS.

The infected machine would get the IP's listed in the Flush.M link information. 85.255.112.36 or 85.255.112.41 (or close to these)

We will try the instruction from the Symantic post on the pulled hard drive in a test system to see if we can remove the threat.
0
 
LVL 1

Expert Comment

by:PatrickPinto
ID: 23737139
Ok here is some more info. DHCPlocator was a great utility. Basically I ran it on my laptop since I wa son the subnet having the issue. The syntac was as such:

dhcploc /p 10.1.15.90 10.1.20.3

the first ip is the ip addres sof your nic and the second is the ip of your valid dhcp server ...this is out in there so it ignores to your valid dhcp server

as soon as I ran it I did an ip release and renew and I got the following output

13:11:38    OFFER (IP)10.1.15.90      (S)10.1.15.1       (S1)10.1.15.103     ***

13:11:38      ACK (IP)10.1.15.90      (S)10.1.15.1       (S1)10.1.15.103     ***

The *** represent an uathorized dhcp server. We were able to track down the pc and take it offline. Everything has been fine since. I am going to investigate the pc and will report on what was running on the machine that may have caused this.

Thanks to dstewartjr for making the recommendation about using dhcploc. I have vista but I just copied the dhcploc.exe file from a windows 2003 box and ran it on my vista machine just fine.

Thanks.

Patrick
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23737301
Your welcome, glad to get it sorted out for you.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you are trying to access the server, have you ever encountered "The terminal server has exceeded the maximum number of allowed connection" error?  or "The user is attempting to log on to a Terminal Server in Remote Administration mode, but the …
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question