HCSB
asked on
How can I fiind a rouge DHCP server?
I have figured out that it is the trojanflush.m virus/malware that is causing this. It gives the machines a 1 hour lease time and gives your bogus dns addresses. The site that is affected has around 400 computers so it's like finding a needle in a haystack. Any help would be greatly appreciated.
Where is your DNS normally pointed to? If your Server is controlling DNS I would have thought you could setup the perimeter firewall to block all access to DNS requests from all pc's except for the server. All pc's that have been zombied would try to connect to the rogue DNS address but would be barred by the perimeter firewall, so it is immediately obvious which pc's are affected.
You can always use the ethereal to capture data packets and make analysis after.
You can also be sure that rogue DHCP are not operating in your network if you enable DHCP snooping in your switches.
Cisco supports the feature. It is possible that other vendors will also have dhcp snooping support
Dimitris
You can also be sure that rogue DHCP are not operating in your network if you enable DHCP snooping in your switches.
Cisco supports the feature. It is possible that other vendors will also have dhcp snooping support
Dimitris
ASKER
All switches expect for one building are managed cisco switches. The only problem is there all out of date so in order to use dhcp snooping we would need to update all the switches we checked and our current version doesn't support it.
The dns addresses it uses were already blocked by our firewall so we know which ones are getting the bogus address the problem is finding the machine that is handing them out.
The dns addresses it uses were already blocked by our firewall so we know which ones are getting the bogus address the problem is finding the machine that is handing them out.
Hi
try using dhcploc.exe
http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/DHCPandDNS/UsingtheDHCPLOCUtility.html
this will give you the Ip address of the server, NBTSTAT -A [IPADDRESS]
if you dont recognize the name do the following
On your switches
check which port that MAC is on
via
show ip arp [ip-address]
or
show ip arp
Happy hunting
try using dhcploc.exe
http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/DHCPandDNS/UsingtheDHCPLOCUtility.html
this will give you the Ip address of the server, NBTSTAT -A [IPADDRESS]
if you dont recognize the name do the following
On your switches
check which port that MAC is on
via
show ip arp [ip-address]
or
show ip arp
Happy hunting
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are your switches Managed? Can you tie a MAC address to a Port?
Or if it's a windows network, and you have the MAC it is possible to remotely check the MAC address on each client remotely (using WMI and a bit of scripting).
Chris