[Dshield] [SPAM] Re: Network shut down by old pc

Mikel Williams mikelw at ruffinbuildingsystems.com
Fri Aug 11 16:33:59 GMT 2006


I had considered the possibility that a foreign DHCP server, such as a DSL 
router from home, had been installed into the network.

However, that still would not account for the spoofed MAC address from the 
pc.  I would be more ready to dismiss it as a "glitch" if it weren't for 
that spoofed MAC, which wasn't just a corrupted MAC.  It was a validly 
formatted address, which identified the unit as a Cameo device commonly used 
in network switches.  That to me indicates an attempt to hide the source of 
the offending traffic, and in my thinking is what makes it appear more as 
malicious activity of some sort as opposed to just a corrupted IP stack.

Thanks for the response,
Mikel

----- Original Message ----- 
From: "John Dietz" <www.whitewolf at gmail.com>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Friday, August 11, 2006 7:42 AM
Subject: [SPAM] Re: [Dshield] Network shut down by old pc


> Of course I could be wrong, but it sounds to me like either the server
> hosting the DHCP pool had a glitch (or was poisoned) and stopped excluding
> the 192.168.0.1 IP or another computer was serving DHCP at the time and
> didn't have the rule to exclude 192.168.0.1 from the pool.  Do you maybe
> have a BDC that could have decided to take over these requests after 
> loosing
> communication with the PDC?  Of course, without packet logs and without
> knowing your network better, it would be hard to know for sure just what
> happened, but this is at least my theory.  Since you said all the
> configurations on the Win 98 box are as they should be, I doubt it is the
> victim of malicious code installed on it.  It sounds a lot more like a 
> DHCP
> issue to me.
>
> Cheers
>
>
> On 8/10/06, Mikel Williams <mikelw at ruffinbuildingsystems.com> wrote:
>>
>> Looking for info on possible cause of the following scenario:
>>
>> Small business network with primary domain controller, file server, and
>> DHCP
>> services provided by a
>> Win NT 4.0 server, SP 6A, configured as follows;
>>        IP address of 192.168.0.1 (NIC's MAC address of 00:08:C7:33:F9:57)
>>        Providing services for the domain of DHCP, WINS, Primary DNS, 
>> basic
>> file storage, and printer shares
>> Most pc's running Win2K or Win XP, except for 2 older boxes still running
>> Win98.
>>    (These 2 older boxes have been in the network for upwards of 10 years
>> with no problems)
>> Internet access across network is restricted to selected stations that 
>> get
>> gateway address and expanded DNS server list
>>    by DHCP reservation and gateway access control list on 
>> firewall/router.
>>
>>
>> Here's the problem;
>>
>> Late yesterday afternoon domain users began having problems hitting
>> network
>> printers, all shared from Primary Domain Controller.
>>    Subsequent checks showed that none of them could hit the server at 
>> all,
>> but other network connection remained intact.
>> Server event log revealed loss of network connection due to an IP address
>> conflict, with a station having MAC address of 00:C0:F0:12:EB:58
>>    (Same MAC address also resolved using ARP from a backup server
>> following
>> ping of 192.168.0.1)
>> Check of cached info from root level switch for the network finds no 
>> entry
>> for the offending MAC.
>> Process of elimination by using perpetual ping from various stations as
>> network branches and cables are unplugged lead
>>    to one of the old Win98 boxes, which has been running with no problems
>> for years.
>>    (Offending PC immediately isolated from network pending further
>> investigation)
>>    (Policies in effect on the pc prevented even myself from being able to
>> get to the network configuration)
>>
>> This AM, after using policy editor to recover the system, all network
>> configuration is as it was before;
>>        IP address by DHCP
>>        Since no DHCP server is available during isolation from network,
>> Windows used auto-generated IP address of 169.254.158.91
>>
>> The real kicker, is that the MAC address of the offending NIC is
>> 00:C0:F0:12:EB:58
>>
>>
>> I have no plans to re-introduce the renegade system into the network, as
>> it's due for a replacement anyway.
>> I am still wanting to find out what happened here, especially since it 
>> has
>> the appearance of orginating from some form of malicious code.
>> Have any of you experienced this issue, or know of any eploits which 
>> would
>> have this effect.
>> The end result was a crash of the primary domain server, but the false 
>> MAC
>> address is equally disturbing.
>>
>> Thanks for any info,
>> Mike Williams
>>
>> _________________________________________
>> Learn from the founder of DShield how to secure your Internet presence
>> with Linux, Apache, MySQL, PHP.
>>
>> Las Vegas, Oct. 2nd-6th 2006
>>
>> Details: http://www.sans.org/ns2006/description.php?tid=433
>> (Brochure Code: ISC)
>>
>>
>>
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see:
>> http://lists.dshield.org/mailman/listinfo/list
>>
>
>
>
> -- 
> There is intelligence is in having all the answers, but wisdom lies in
> knowing which of the questions to answer.
> _________________________________________
> Learn from the founder of DShield how to secure your Internet presence 
> with Linux, Apache, MySQL, PHP.
>
> Las Vegas, Oct. 2nd-6th 2006
>
> Details: http://www.sans.org/ns2006/description.php?tid=433
> (Brochure Code: ISC)
>
>
>
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://lists.dshield.org/mailman/listinfo/list 



More information about the list mailing list