[Dshield] Network shut down by old pc
mikelw at ruffinbuildingsystems.com
Thu Aug 10 20:51:20 GMT 2006
Looking for info on possible cause of the following scenario:
Small business network with primary domain controller, file server, and DHCP
services provided by a
Win NT 4.0 server, SP 6A, configured as follows;
IP address of 192.168.0.1 (NIC's MAC address of 00:08:C7:33:F9:57)
Providing services for the domain of DHCP, WINS, Primary DNS, basic
file storage, and printer shares
Most pc's running Win2K or Win XP, except for 2 older boxes still running
(These 2 older boxes have been in the network for upwards of 10 years
with no problems)
Internet access across network is restricted to selected stations that get
gateway address and expanded DNS server list
by DHCP reservation and gateway access control list on firewall/router.
Here's the problem;
Late yesterday afternoon domain users began having problems hitting network
printers, all shared from Primary Domain Controller.
Subsequent checks showed that none of them could hit the server at all,
but other network connection remained intact.
Server event log revealed loss of network connection due to an IP address
conflict, with a station having MAC address of 00:C0:F0:12:EB:58
(Same MAC address also resolved using ARP from a backup server following
ping of 192.168.0.1)
Check of cached info from root level switch for the network finds no entry
for the offending MAC.
Process of elimination by using perpetual ping from various stations as
network branches and cables are unplugged lead
to one of the old Win98 boxes, which has been running with no problems
(Offending PC immediately isolated from network pending further
(Policies in effect on the pc prevented even myself from being able to
get to the network configuration)
This AM, after using policy editor to recover the system, all network
configuration is as it was before;
IP address by DHCP
Since no DHCP server is available during isolation from network,
Windows used auto-generated IP address of 169.254.158.91
The real kicker, is that the MAC address of the offending NIC is
I have no plans to re-introduce the renegade system into the network, as
it's due for a replacement anyway.
I am still wanting to find out what happened here, especially since it has
the appearance of orginating from some form of malicious code.
Have any of you experienced this issue, or know of any eploits which would
have this effect.
The end result was a crash of the primary domain server, but the false MAC
address is equally disturbing.
Thanks for any info,
More information about the list