[Dshield] Network shut down by old pc

John Dietz www.whitewolf at gmail.com
Fri Aug 11 12:42:17 GMT 2006

Of course I could be wrong, but it sounds to me like either the server
hosting the DHCP pool had a glitch (or was poisoned) and stopped excluding
the IP or another computer was serving DHCP at the time and
didn't have the rule to exclude from the pool.  Do you maybe
have a BDC that could have decided to take over these requests after loosing
communication with the PDC?  Of course, without packet logs and without
knowing your network better, it would be hard to know for sure just what
happened, but this is at least my theory.  Since you said all the
configurations on the Win 98 box are as they should be, I doubt it is the
victim of malicious code installed on it.  It sounds a lot more like a DHCP
issue to me.


On 8/10/06, Mikel Williams <mikelw at ruffinbuildingsystems.com> wrote:
> Looking for info on possible cause of the following scenario:
> Small business network with primary domain controller, file server, and
> services provided by a
> Win NT 4.0 server, SP 6A, configured as follows;
>        IP address of (NIC's MAC address of 00:08:C7:33:F9:57)
>        Providing services for the domain of DHCP, WINS, Primary DNS, basic
> file storage, and printer shares
> Most pc's running Win2K or Win XP, except for 2 older boxes still running
> Win98.
>    (These 2 older boxes have been in the network for upwards of 10 years
> with no problems)
> Internet access across network is restricted to selected stations that get
> gateway address and expanded DNS server list
>    by DHCP reservation and gateway access control list on firewall/router.
> Here's the problem;
> Late yesterday afternoon domain users began having problems hitting
> network
> printers, all shared from Primary Domain Controller.
>    Subsequent checks showed that none of them could hit the server at all,
> but other network connection remained intact.
> Server event log revealed loss of network connection due to an IP address
> conflict, with a station having MAC address of 00:C0:F0:12:EB:58
>    (Same MAC address also resolved using ARP from a backup server
> following
> ping of
> Check of cached info from root level switch for the network finds no entry
> for the offending MAC.
> Process of elimination by using perpetual ping from various stations as
> network branches and cables are unplugged lead
>    to one of the old Win98 boxes, which has been running with no problems
> for years.
>    (Offending PC immediately isolated from network pending further
> investigation)
>    (Policies in effect on the pc prevented even myself from being able to
> get to the network configuration)
> This AM, after using policy editor to recover the system, all network
> configuration is as it was before;
>        IP address by DHCP
>        Since no DHCP server is available during isolation from network,
> Windows used auto-generated IP address of
> The real kicker, is that the MAC address of the offending NIC is
> 00:C0:F0:12:EB:58
> I have no plans to re-introduce the renegade system into the network, as
> it's due for a replacement anyway.
> I am still wanting to find out what happened here, especially since it has
> the appearance of orginating from some form of malicious code.
> Have any of you experienced this issue, or know of any eploits which would
> have this effect.
> The end result was a crash of the primary domain server, but the false MAC
> address is equally disturbing.
> Thanks for any info,
> Mike Williams
> _________________________________________
> Learn from the founder of DShield how to secure your Internet presence
> with Linux, Apache, MySQL, PHP.
> Las Vegas, Oct. 2nd-6th 2006
> Details: http://www.sans.org/ns2006/description.php?tid=433
> (Brochure Code: ISC)
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://lists.dshield.org/mailman/listinfo/list

There is intelligence is in having all the answers, but wisdom lies in
knowing which of the questions to answer.

More information about the list mailing list