[Dshield] Network shut down by old pc

Mikel Williams mikelw at ruffinbuildingsystems.com
Thu Aug 10 20:51:20 GMT 2006


Looking for info on possible cause of the following scenario:

Small business network with primary domain controller, file server, and DHCP 
services provided by a
Win NT 4.0 server, SP 6A, configured as follows;
        IP address of 192.168.0.1 (NIC's MAC address of 00:08:C7:33:F9:57)
        Providing services for the domain of DHCP, WINS, Primary DNS, basic 
file storage, and printer shares
Most pc's running Win2K or Win XP, except for 2 older boxes still running 
Win98.
    (These 2 older boxes have been in the network for upwards of 10 years 
with no problems)
Internet access across network is restricted to selected stations that get 
gateway address and expanded DNS server list
    by DHCP reservation and gateway access control list on firewall/router.


Here's the problem;

Late yesterday afternoon domain users began having problems hitting network 
printers, all shared from Primary Domain Controller.
    Subsequent checks showed that none of them could hit the server at all, 
but other network connection remained intact.
Server event log revealed loss of network connection due to an IP address 
conflict, with a station having MAC address of 00:C0:F0:12:EB:58
    (Same MAC address also resolved using ARP from a backup server following 
ping of 192.168.0.1)
Check of cached info from root level switch for the network finds no entry 
for the offending MAC.
Process of elimination by using perpetual ping from various stations as 
network branches and cables are unplugged lead
    to one of the old Win98 boxes, which has been running with no problems 
for years.
    (Offending PC immediately isolated from network pending further 
investigation)
    (Policies in effect on the pc prevented even myself from being able to 
get to the network configuration)

This AM, after using policy editor to recover the system, all network 
configuration is as it was before;
        IP address by DHCP
        Since no DHCP server is available during isolation from network, 
Windows used auto-generated IP address of 169.254.158.91

The real kicker, is that the MAC address of the offending NIC is 
00:C0:F0:12:EB:58


I have no plans to re-introduce the renegade system into the network, as 
it's due for a replacement anyway.
I am still wanting to find out what happened here, especially since it has 
the appearance of orginating from some form of malicious code.
Have any of you experienced this issue, or know of any eploits which would 
have this effect.
The end result was a crash of the primary domain server, but the false MAC 
address is equally disturbing.

Thanks for any info,
Mike Williams 



More information about the list mailing list