Announcement

Collapse
No announcement yet.

PC's pulling wrong IP's...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PC's pulling wrong IP's...

    First off, I'm a MCP - doing this for 10yrs...not a newbie.

    I got a client with 25 pc's, using cable internet, into a Linksys router, into a 10/100 netgear unmanaged switch.

    Now, randomly throughout the day 3-6 PC's in the office get kicked off the internet. When they get kicked off the internet their IP will be 192.168.1.5 - .30. Now my dhcp scope is 192.168.1.100 - .190.

    I've replaced the switches and router, and I am still having this same problem today. there are no other routers on the network, and it's just a mystery to me. Basically, if you pull an IP that is under .100 - you have no internet. Weird thing is if you pull an IP under .100 - I can still go to 192.168.1.1 and get into my router.

    Any ideas???????????

  • #2
    Re: PC's pulling wrong IP's...

    You have rouge DHCP server on your network that nobody has told you about. Is there someone who comes into the office with a laptop? They could be running DHCP with the same common range and have that restricted scope set.

    If Mr X has their DHCP running and dishing out IPs, you will still be able to get to the router since you are on the same subnet. HOWEVER their DNS IP may be different to yours so, no Internet access because no DNS resolution.

    Check IPCONFIG /ALL when your get a rogue range and see what the DNS is and what other differences are between the 2 ranges are.

    Any wireless being used?
    Is it always the same machines being kicked off?
    WHY are you getting machines kicked off the network? Not really acceptable is it.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: PC's pulling wrong IP's...

      To add to Biggles's mention of a rogue DHCP server, use dhcploc to track the villain down. Administer justice as you see fit.
      Last edited by Nonapeptide; 5th April 2009, 00:15. Reason: spelling
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: PC's pulling wrong IP's...

        Clients are offered an IP address from the DHCP server instead of pulling it
        However I second Biggles and Nonapeptide that there is probably a rouge DHCP server on the network.
        It might be a vmware box or something like that.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: PC's pulling wrong IP's...

          Yeah, they have wireless running off the same Linksys router. It's really random, some pc's work, next day they don't.

          Yeah, I thought maybe someone had some type of software running on their PC - that might be giving out IP's w/o them knowing it......about 20 office people, maybe 10 laptops.......

          I think when I look at the ipconfig /all of the PC's that don't work - it shows the DNS of the internet provider....the ones that work show the dns of the router: 192.168.1.1. and they also have a DNS suffix of the cable provider.....the others show no DNS suffix.

          Does that help?

          Comment


          • #6
            Re: PC's pulling wrong IP's...

            OK I ran into this today - I think these are the dns servers that the non working PC's are using - valid dns servers would be 192.168.1.1 and I remember the non working pc's were using a 64 and 63 dns server.

            Is there any tool out there that will help me identify dhcp servers on my network?



            Thanks to Irwin for alerting us about a new version of rogue DHCP server malware he found in his network. The malware appears to be similar to Trojan.Flush.M which was found last December. Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address.
            Irwin did a good job comparing the two versions. Here is his summary of the differences:
            • The new version sets the DHCP lease time to 1 hour.
            • it sets the MAC destination to thebroadcast address, rather then the MAC address of the DHCP client
            • it does not specify a DNS Domain Name.
            • the options field does not contain an END option followed by PAD options.
            • Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.

            The malicious DNS server is 64.86.133.51 and 63.243.173.162.

            Comment


            • #7
              Re: PC's pulling wrong IP's...

              Originally posted by hfctpl View Post
              Is there any tool out there that will help me identify dhcp servers on my network?
              See post#3 in this thread.

              Originally posted by Johannes Ullrich
              Thanks to Irwin for alerting us about a new version of rogue DHCP server malware he found in his network. (...)
              For those interested, the last part of hfctpl's post was a diary/blog post by Johannes Ullrich on SANS.org. Here's the original link.
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment


              • #8
                Re: PC's pulling wrong IP's...

                Ended up being a PC doing all the damage. Took it off the network - wiped it - no problems all week.

                Not sure what virus is was - some sort of Trojan Flush. Couldn't scan it or anything - couldn't even run Windows Update - it'd take me to some porn site.

                Thanks for the help!!

                Comment


                • #9
                  Re: PC's pulling wrong IP's...

                  Thanks for posting back! Now that you've got a nice new image, you have the perfect opportunity to demote the individual's user account from an Administrator to a User. Unless their job title starts with the word "Chief".
                  Wesley David
                  LinkedIn | Careers 2.0
                  -------------------------------
                  Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                  Vendor Neutral Certifications: CWNA
                  Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                  Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                  Comment

                  Working...
                  X