?
Solved

My DHCP table has began receiving numerous entries that start with android-2222533a32d23.domain,  We don't have any androids in our environment.  How can I stop these entries?

Posted on 2014-10-01
34
Medium Priority
?
307 Views
Last Modified: 2014-10-20
My DHCP table has began receiving numerous entries that start with android-2222533a32d23.domain,  We don't have any androids in our environment.  How can I stop these entries?  These entries are beginning to use up all of my DHCP.  addresses

Event Viewer has a Warning that reads Scope, 10.xx.xx.0, is 82 percent full with only 64 IP addresses remaining.
0
Comment
Question by:Nellie Epps
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 10
  • 4
  • +1
34 Comments
 
LVL 34

Expert Comment

by:it_saige
ID: 40355729
Check to see if you have an open/unsecured Wireless Access Point.

-saige-
0
 

Author Comment

by:Nellie Epps
ID: 40355733
I have already checked and we don't.  That is why this is so puzzling.
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40355744
Check your Wireless Access Point's; client's table (if it has one).  See if you find any entries in their for androids.

-saige-
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:Nellie Epps
ID: 40355753
Our wireless router, uses 192.x.x.x addresses these are 10.x.x.x addresses.  The router doesn't have a client's table.
0
 
LVL 27

Expert Comment

by:davorin
ID: 40355763
It has happened many times that people buy devices by them-self and connect them into company network without any permission.
Try to scan for wireless networks with software like inssider.
Well, actually you can use just a laptop and check wireless networks that should not exist in your company.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40356041
Download a copy of Angry IP Scanner and scan both the 192 and 10 Class A blocks.  Check the device names against what is expected.

I think you'll find that davorin is right and somebody has installed a wireless device on your network without permission, and (knowing it's against company policy and a termination offense) hidden it so that you can't find it.

Angry IP Scanner
0
 

Author Comment

by:Nellie Epps
ID: 40356885
Okay.  I ran Angry IP Scanner.  Would 10.xx.xx.xxx             0.in-addr-arpa be the culprit?  I am not sure what to look for.
0
 

Author Comment

by:Nellie Epps
ID: 40356901
I found another that could be suspect 192.168.xx.xxx   Hostname   )^SU
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40356905
If you can post a screenshot it will be helpful as then we will be getting the information direct.  Anything ".in-addr.arpa" should not be showing up in the host name column; this is how IP addresses are backwards resolved.
0
 

Author Comment

by:Nellie Epps
ID: 40356929
Please see attached unusual results from Angry IP Scanner
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40356932
Sorry to say that the document does not appear to have attached properly.
0
 

Author Comment

by:Nellie Epps
ID: 40356939
Sorry I didn't click "upload file"
Angry-IP-Scanner-Results.docx
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40356956
Perhaps one of the other experts can comment on that.  (I still use Word 97 and there is no import for the later DOCX file format into Word 97.)  Or alternatively, if you can post the screenshot as a JPEG.
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40356962
@DrKlahn - Here are the snippets she made.Capture.JPG-saige-
0
 

Author Comment

by:Nellie Epps
ID: 40356965
I have now saved it as a Word 97 doc.  You should be able to open it now.
Angry-IP-Scanner-Results2.doc
0
 

Author Comment

by:Nellie Epps
ID: 40356994
As you by the attached the androids are basically taking over my DHCP table.  However, when I do a nslookup many of them are legitimate workstations or laptops.  The ones that I don't receive a response from, I delete them but then they begin to return almost immediately.
androids.doc
0
 
LVL 28

Accepted Solution

by:
Dr. Klahn earned 2000 total points
ID: 40358870
Thanks, it_saige.

Nellie, it looks to me that you are providing free wireless to anybody in the area with an Android device.  It is interesting that only Android devices are showing up and nothing else.

Here are my speculations ...

Someone may have established an illegal VPN on their workstation and the 10-block traffic results from a VPN tunnel into your site, with a WAP at the other end of the VPN tunnel.  Check all workstations for VPN software and run ipconfig /all on each to see if there are any active tunnels.  Perhaps one of the other experts can speak to this issue.  It will be difficult to find if this results from a virus such as Caphaw; run the Microsoft Malicious Software Tool on all workstations.

Bring in in a laptop or a wireless network sniffer.  See if there is an open network in the area.  If there is, and you can connect to it, and the connecting device reports an IP address in the 10 block, and the laptop then shows up in your DHCP table, this confirms an unauthorized wireless access point on your network.

If the primary network is wireless, change the WPA key on the WAP and on all workstations.  Keep the new key a secret to yourself.  See if the problem goes away.

I have to say the device at 192.168.1.110 looks suspicious.  Normally a device seen by Angry IP Scanner comes back with a name of either (nothing at all), or a Windows name.  This looks like a deliberately chosen random name.  I'd chase that one down and find out what it is just on general principles.

The other device at 10.(can't read the rest) is definitely suspicious.  My guess is that this is the bootleg wireless router.  If it is on the other end of a VPN you won't be able to find it.  If it is on your premises, chasing it down may be a chore on a large network unless you have hardware that can identify what segment of the network it is on.  On a small network you can do a physical premises inspection.  If your primary network is wireless and not wired, you'll have to conduct a physical search of the entire premises to find out where the unauthorized device is.

Before going to those lengths, you might try this:  Make a site-wide announcement to all users that there is an unauthorized wireless router on the premises, and that when you find it, there will be consequences for whoever attached it to the network without permission.  Then wait two days and see if it disappears from the network.

By the way, I don't think we are going to find out anything to penetrate your network from the Angry IP Scanner screenshots, so there's no need to scribble out the IP addresses.  The device names in the scan results are partially readable through the scribbling, and even those do not suggest anything to me about your network or where you are located.  You can sure scribble all you want to, though, if it makes your boss feel better.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40360490
After sleeping on the problem, another thing that you might be able to try:

Assuming that your legitimate network is on 192.168.1, your legal DHCP server should not be handing out addresses on 10.0.0 at all.  That would imply a bootleg DHCP server on the network.  If this is the case:

Start up a browser and enter http://10.0.0.1 into the address bar.  That should take you to the web management pages for the bootleg router.  You may not be able to get in but there will be enough information there to deduce the manufacturer and possibly the model.
0
 

Author Comment

by:Nellie Epps
ID: 40365870
Will not display page.  See attached.
Page-Can-t-be-displayed.doc
0
 

Author Comment

by:Nellie Epps
ID: 40365885
So far everything that I have traced have turned out to be legitimate network device (like a server or workstations.  Via the switch I traced the IP address  then the Mac Address then the port.  Each cable from the port is attached to a legitimate network device.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40366789
The only thing I can think of at this point is that there is a device creating a VPN into your network and bridging the 10.0 network onto your 192.168 network.

You said that you traced the IP address and MAC address to the switch and then the port.  What is the device connected to that port?
0
 

Author Comment

by:Nellie Epps
ID: 40366836
A DC is connected to the 192.xx.xx.xx address.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40366853
Domain controller?
0
 

Author Comment

by:Nellie Epps
ID: 40366930
yes
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40366955
Log into the controller in question, bring up a command window, and issue ipconfig /all.  See if it is hosting anything other than the expected network adapter.

Also scan it thoroughly for viruses using at least two scanners, plus the most recent Microsoft Malicious Software Removal Tool

If this fails to turn up anything, I am about out of ideas except for this one:  There may be an infected system on your network spoofing a MAC address.  It will be a long and tedious journey with running multiple virus scanners on every system to prove or disprove that.
0
 

Author Comment

by:Nellie Epps
ID: 40368295
I ran the Microsoft Malicious Software Removal Tool.  Nothing was found.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40368791
I'm tapped out of ideas.  Hopefully one of the other experts will see your question and have an insight.
0
 

Author Comment

by:Nellie Epps
ID: 40368798
I really appreciate your trying to resolve the issue.
0
 

Author Comment

by:Nellie Epps
ID: 40377381
Both Experts were correct, however, IT_saige, answered first.  I am not sure how this should be handled.
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40377501
I think you handled it adequately.  I may have answered first, but DrKlahn did more leg work than I did.  He is deserving of the greater point break.

-saige-
0
 

Author Comment

by:Nellie Epps
ID: 40377642
Sorry wasn't sure how this worked.  I will try to correct my mistake.
0
 

Author Comment

by:Nellie Epps
ID: 40377707
I have requested that full credit for the solution be given to davorin.
0
 

Author Closing Comment

by:Nellie Epps
ID: 40391902
Great job!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Cisco router can be configured as a DHCP Server. There are advantages and disadvantages in making your Cisco router work as DHCP Server. Almost all the features for windows DHCP can be configured on Cisco-based DHCP server. Some of the features me…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question