[Dshield] [SPAM] Re: Network shut down by old pc
ltr at isc.upenn.edu
Sun Aug 13 19:34:05 GMT 2006
Could this be a sniffer using arp spoofing? Cain and Able will bring a
network down like that. The host responding to pings sent to other machines
makes it sound like this might be a possibility.
On 8/11/06 12:33 PM, "Mikel Williams" <mikelw at ruffinbuildingsystems.com>
> I had considered the possibility that a foreign DHCP server, such as a DSL
> router from home, had been installed into the network.
> However, that still would not account for the spoofed MAC address from the
> pc. I would be more ready to dismiss it as a "glitch" if it weren't for
> that spoofed MAC, which wasn't just a corrupted MAC. It was a validly
> formatted address, which identified the unit as a Cameo device commonly used
> in network switches. That to me indicates an attempt to hide the source of
> the offending traffic, and in my thinking is what makes it appear more as
> malicious activity of some sort as opposed to just a corrupted IP stack.
> Thanks for the response,
> ----- Original Message -----
> From: "John Dietz" <www.whitewolf at gmail.com>
> To: "General DShield Discussion List" <list at lists.dshield.org>
> Sent: Friday, August 11, 2006 7:42 AM
> Subject: [SPAM] Re: [Dshield] Network shut down by old pc
>> Of course I could be wrong, but it sounds to me like either the server
>> hosting the DHCP pool had a glitch (or was poisoned) and stopped excluding
>> the 192.168.0.1 IP or another computer was serving DHCP at the time and
>> didn't have the rule to exclude 192.168.0.1 from the pool. Do you maybe
>> have a BDC that could have decided to take over these requests after
>> communication with the PDC? Of course, without packet logs and without
>> knowing your network better, it would be hard to know for sure just what
>> happened, but this is at least my theory. Since you said all the
>> configurations on the Win 98 box are as they should be, I doubt it is the
>> victim of malicious code installed on it. It sounds a lot more like a
>> issue to me.
>> On 8/10/06, Mikel Williams <mikelw at ruffinbuildingsystems.com> wrote:
>>> Looking for info on possible cause of the following scenario:
>>> Small business network with primary domain controller, file server, and
>>> services provided by a
>>> Win NT 4.0 server, SP 6A, configured as follows;
>>> IP address of 192.168.0.1 (NIC's MAC address of 00:08:C7:33:F9:57)
>>> Providing services for the domain of DHCP, WINS, Primary DNS,
>>> file storage, and printer shares
>>> Most pc's running Win2K or Win XP, except for 2 older boxes still running
>>> (These 2 older boxes have been in the network for upwards of 10 years
>>> with no problems)
>>> Internet access across network is restricted to selected stations that
>>> gateway address and expanded DNS server list
>>> by DHCP reservation and gateway access control list on
>>> Here's the problem;
>>> Late yesterday afternoon domain users began having problems hitting
>>> printers, all shared from Primary Domain Controller.
>>> Subsequent checks showed that none of them could hit the server at
>>> but other network connection remained intact.
>>> Server event log revealed loss of network connection due to an IP address
>>> conflict, with a station having MAC address of 00:C0:F0:12:EB:58
>>> (Same MAC address also resolved using ARP from a backup server
>>> ping of 192.168.0.1)
>>> Check of cached info from root level switch for the network finds no
>>> for the offending MAC.
>>> Process of elimination by using perpetual ping from various stations as
>>> network branches and cables are unplugged lead
>>> to one of the old Win98 boxes, which has been running with no problems
>>> for years.
>>> (Offending PC immediately isolated from network pending further
>>> (Policies in effect on the pc prevented even myself from being able to
>>> get to the network configuration)
>>> This AM, after using policy editor to recover the system, all network
>>> configuration is as it was before;
>>> IP address by DHCP
>>> Since no DHCP server is available during isolation from network,
>>> Windows used auto-generated IP address of 169.254.158.91
>>> The real kicker, is that the MAC address of the offending NIC is
>>> I have no plans to re-introduce the renegade system into the network, as
>>> it's due for a replacement anyway.
>>> I am still wanting to find out what happened here, especially since it
>>> the appearance of orginating from some form of malicious code.
>>> Have any of you experienced this issue, or know of any eploits which
>>> have this effect.
>>> The end result was a crash of the primary domain server, but the false
>>> address is equally disturbing.
>>> Thanks for any info,
>>> Mike Williams
>>> Learn from the founder of DShield how to secure your Internet presence
>>> with Linux, Apache, MySQL, PHP.
>>> Las Vegas, Oct. 2nd-6th 2006
>>> Details: http://www.sans.org/ns2006/description.php?tid=433
>>> (Brochure Code: ISC)
>>> send all posts to list at lists.dshield.org
>>> To change your subscription options (or unsubscribe), see:
>> There is intelligence is in having all the answers, but wisdom lies in
>> knowing which of the questions to answer.
>> Learn from the founder of DShield how to secure your Internet presence
>> with Linux, Apache, MySQL, PHP.
>> Las Vegas, Oct. 2nd-6th 2006
>> Details: http://www.sans.org/ns2006/description.php?tid=433
>> (Brochure Code: ISC)
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see:
> Learn from the founder of DShield how to secure your Internet presence with
> Linux, Apache, MySQL, PHP.
> Las Vegas, Oct. 2nd-6th 2006
> Details: http://www.sans.org/ns2006/description.php?tid=433
> (Brochure Code: ISC)
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
Penn Information Security RSS feed
Add link to your favorite RSS reader
More information about the list