[Dshield] [SPAM] Re: Network shut down by old pc

David Taylor ltr at isc.upenn.edu
Sun Aug 13 19:34:05 GMT 2006


Could this be a sniffer using arp spoofing? Cain and Able will bring a
network down like that.  The host responding to pings sent to other machines
makes it sound like this might be a possibility.


On 8/11/06 12:33 PM, "Mikel Williams" <mikelw at ruffinbuildingsystems.com>
wrote:

> I had considered the possibility that a foreign DHCP server, such as a DSL
> router from home, had been installed into the network.
> 
> However, that still would not account for the spoofed MAC address from the
> pc.  I would be more ready to dismiss it as a "glitch" if it weren't for
> that spoofed MAC, which wasn't just a corrupted MAC.  It was a validly
> formatted address, which identified the unit as a Cameo device commonly used
> in network switches.  That to me indicates an attempt to hide the source of
> the offending traffic, and in my thinking is what makes it appear more as
> malicious activity of some sort as opposed to just a corrupted IP stack.
> 
> Thanks for the response,
> Mikel
> 
> ----- Original Message -----
> From: "John Dietz" <www.whitewolf at gmail.com>
> To: "General DShield Discussion List" <list at lists.dshield.org>
> Sent: Friday, August 11, 2006 7:42 AM
> Subject: [SPAM] Re: [Dshield] Network shut down by old pc
> 
> 
>> Of course I could be wrong, but it sounds to me like either the server
>> hosting the DHCP pool had a glitch (or was poisoned) and stopped excluding
>> the 192.168.0.1 IP or another computer was serving DHCP at the time and
>> didn't have the rule to exclude 192.168.0.1 from the pool.  Do you maybe
>> have a BDC that could have decided to take over these requests after
>> loosing
>> communication with the PDC?  Of course, without packet logs and without
>> knowing your network better, it would be hard to know for sure just what
>> happened, but this is at least my theory.  Since you said all the
>> configurations on the Win 98 box are as they should be, I doubt it is the
>> victim of malicious code installed on it.  It sounds a lot more like a
>> DHCP
>> issue to me.
>> 
>> Cheers
>> 
>> 
>> On 8/10/06, Mikel Williams <mikelw at ruffinbuildingsystems.com> wrote:
>>> 
>>> Looking for info on possible cause of the following scenario:
>>> 
>>> Small business network with primary domain controller, file server, and
>>> DHCP
>>> services provided by a
>>> Win NT 4.0 server, SP 6A, configured as follows;
>>>        IP address of 192.168.0.1 (NIC's MAC address of 00:08:C7:33:F9:57)
>>>        Providing services for the domain of DHCP, WINS, Primary DNS,
>>> basic
>>> file storage, and printer shares
>>> Most pc's running Win2K or Win XP, except for 2 older boxes still running
>>> Win98.
>>>    (These 2 older boxes have been in the network for upwards of 10 years
>>> with no problems)
>>> Internet access across network is restricted to selected stations that
>>> get
>>> gateway address and expanded DNS server list
>>>    by DHCP reservation and gateway access control list on
>>> firewall/router.
>>> 
>>> 
>>> Here's the problem;
>>> 
>>> Late yesterday afternoon domain users began having problems hitting
>>> network
>>> printers, all shared from Primary Domain Controller.
>>>    Subsequent checks showed that none of them could hit the server at
>>> all,
>>> but other network connection remained intact.
>>> Server event log revealed loss of network connection due to an IP address
>>> conflict, with a station having MAC address of 00:C0:F0:12:EB:58
>>>    (Same MAC address also resolved using ARP from a backup server
>>> following
>>> ping of 192.168.0.1)
>>> Check of cached info from root level switch for the network finds no
>>> entry
>>> for the offending MAC.
>>> Process of elimination by using perpetual ping from various stations as
>>> network branches and cables are unplugged lead
>>>    to one of the old Win98 boxes, which has been running with no problems
>>> for years.
>>>    (Offending PC immediately isolated from network pending further
>>> investigation)
>>>    (Policies in effect on the pc prevented even myself from being able to
>>> get to the network configuration)
>>> 
>>> This AM, after using policy editor to recover the system, all network
>>> configuration is as it was before;
>>>        IP address by DHCP
>>>        Since no DHCP server is available during isolation from network,
>>> Windows used auto-generated IP address of 169.254.158.91
>>> 
>>> The real kicker, is that the MAC address of the offending NIC is
>>> 00:C0:F0:12:EB:58
>>> 
>>> 
>>> I have no plans to re-introduce the renegade system into the network, as
>>> it's due for a replacement anyway.
>>> I am still wanting to find out what happened here, especially since it
>>> has
>>> the appearance of orginating from some form of malicious code.
>>> Have any of you experienced this issue, or know of any eploits which
>>> would
>>> have this effect.
>>> The end result was a crash of the primary domain server, but the false
>>> MAC
>>> address is equally disturbing.
>>> 
>>> Thanks for any info,
>>> Mike Williams
>>> 
>>> _________________________________________
>>> Learn from the founder of DShield how to secure your Internet presence
>>> with Linux, Apache, MySQL, PHP.
>>> 
>>> Las Vegas, Oct. 2nd-6th 2006
>>> 
>>> Details: http://www.sans.org/ns2006/description.php?tid=433
>>> (Brochure Code: ISC)
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> send all posts to list at lists.dshield.org
>>> To change your subscription options (or unsubscribe), see:
>>> http://lists.dshield.org/mailman/listinfo/list
>>> 
>> 
>> 
>> 
>> -- 
>> There is intelligence is in having all the answers, but wisdom lies in
>> knowing which of the questions to answer.
>> _________________________________________
>> Learn from the founder of DShield how to secure your Internet presence
>> with Linux, Apache, MySQL, PHP.
>> 
>> Las Vegas, Oct. 2nd-6th 2006
>> 
>> Details: http://www.sans.org/ns2006/description.php?tid=433
>> (Brochure Code: ISC)
>> 
>> 
>> 
>> 
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see:
>> http://lists.dshield.org/mailman/listinfo/list
> 
> _________________________________________
> Learn from the founder of DShield how to secure your Internet presence with
> Linux, Apache, MySQL, PHP.
> 
> Las Vegas, Oct. 2nd-6th 2006
> 
> Details: http://www.sans.org/ns2006/description.php?tid=433
> (Brochure Code: ISC)
> 
> 
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://lists.dshield.org/mailman/listinfo/list


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader





More information about the list mailing list