You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » OT: DHCP-scope eaten up by 'detective'
Register User       Forum List       Calendar       FAQ
Page 1 of 1 1
Topic Options
#162673 - 2006-05-31 10:26 AM OT: DHCP-scope eaten up by 'detective'
Björn Offline
Korg Regular
*****

Registered: 2005-12-07
Posts: 953
Loc: Stockholm, Sweden.
Oh no, it's me again

Have a tricky one - been searching around for a solution, but only found a bunch of the same question without any answers (and one with the question, but I will not pay $5 for something I don't have a clue if it will be a correct answer..).

A day ago I discovered that my dhcp-scope at home was... full. and network was limited and kinda bloated. Scratched my head and thought oh well, have to check it tomorrow - today is that day, and that's when I found a couple of bogus mac-addys..
checking the time of lease, it makes no sense..

Code:

MAC-ADDRESS               HOSTNAME          DATE/TIME
7e:c5:99:d5:e9:80	 detective	31/05/2006 00:03:14
32:f6:9e:7d:49:dc	 detective	31/05/2006 00:02:58
8e:66:83:ef:57:49	 detective	31/05/2006 00:03:22
4d:c8:43:bb:8b:a6	 detective	31/05/2006 00:02:42
45:3b:13:0d:89:0a	 detective	31/05/2006 00:02:50
a1:22:f6:22:91:9d	 detective	31/05/2006 00:03:06
(note that time is 24h, date format is DD/MM/YYYY)

No sense as in if it were scripted, the time of lease seems a bit weird, some symetrics should be obvious, as the hostname...

Does anyone have any idea what I am dealing with here?
Happened to anyone else?
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!

Top
#162674 - 2006-05-31 10:31 AM Re: OT: DHCP-scope eaten up by 'detective'
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
Virus/Spyware?
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#162675 - 2006-05-31 10:40 AM Re: OT: DHCP-scope eaten up by 'detective'
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
Some extra info.
Maybe you already found these links. They talk about WLAN being hacked by a wardriver and MS doing some weird magic.

http://forum.tecchannel.de/forum/thread3544.html (in German but not to difficult to read)
http://www.the-scream.co.uk/forums/t21559.html
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#162676 - 2006-05-31 10:53 AM Re: OT: DHCP-scope eaten up by 'detective'
Björn Offline
Korg Regular
*****

Registered: 2005-12-07
Posts: 953
Loc: Stockholm, Sweden.
Thanks Mart, yeah, found similar links, but just hit the nail i think - it's related to my test-server at home running 2k3.. just started thinking about returning it to work instead ;P (all that has been doing is creating problems).

http://www.derkeiler.com/Newsgroups/alt.computer.security/2004-11/0284.html seems to confirm my suspicion, seems to be something about having a fixed lease..

No, I don't have any wlan up and running just due to the fact that it's to easy to break into (and I don't know the ppl living in the area around me...).
So, yeah. It's some MS-magic.

Thanks again for the help Mart.
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!

Top
#162677 - 2006-05-31 10:55 AM Re: OT: DHCP-scope eaten up by 'detective'
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11629
Loc: CA
Well I'm assuming you're running Wireless in either open mode or weak wep which can be broken rather easily.

If this is a wired connection router then yeah would think along the lines of Mart in that someone owns your box and you best run some Anti-Spyware and Anti-Rootkit tools on it.

Because someone has broken into or is using your wireless connection does not mean they have access to your systems, but could mean that they do.

Not a bad idea to run a good Anti-Spyware just in case.

Really recommend WPA2 with ASE for Wireless security.
Top
#162678 - 2006-05-31 10:58 AM Re: OT: DHCP-scope eaten up by 'detective'
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11629
Loc: CA
Well if it is 2003 w/SP1 then yeah I'd say it's weird as I run a production box like that and I don't have that problem and I've rebooted it quite a few times in the past few months for the annoying Microsoft Critical updates.
Top
#162679 - 2006-05-31 11:00 AM Re: OT: DHCP-scope eaten up by 'detective'
Björn Offline
Korg Regular
*****

Registered: 2005-12-07
Posts: 953
Loc: Stockholm, Sweden.
Thanks for the input Doc, but I am thinking in the lines of my previous post that also states that I do not run any wlan, but when I do run it, it's locked down as hard as my wlan router allows.

I am being precasious tho - shutting down everything and going thro it.
And yeah, I have ad-aware/spyware/antivirus and firewalls enabled and updated on all my machines (or, supposed to have .
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!

Top
#162680 - 2006-05-31 11:02 AM Re: OT: DHCP-scope eaten up by 'detective'
Björn Offline
Korg Regular
*****

Registered: 2005-12-07
Posts: 953
Loc: Stockholm, Sweden.
Two of the links I've found stated something about this might occur when you have a fixed dhcp-lease on a win32 server. This is quite amusing, because it's not acctually the server that has it, it's a virtual card from vm-ware that owns it and operates on it ;P
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!

Top
#162681 - 2006-05-31 11:06 AM Re: OT: DHCP-scope eaten up by 'detective'
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11629
Loc: CA
And that VMware box is up to date w/SP1 and all critical updates ?

If this was an on-going problem I'd thin MS would want to address it, as long as one can positively verify that 2003 is the cause.
Top
#162682 - 2006-05-31 11:31 AM Re: OT: DHCP-scope eaten up by 'detective'
Björn Offline
Korg Regular
*****

Registered: 2005-12-07
Posts: 953
Loc: Stockholm, Sweden.
acctually, the VMware box is a debian-box, but yes, updated and so on.The system running VMware is w/sp1 with all updates. I will try to pinpoint what's acctually causing it. One other trend I've been seeing when searching is that my router - ipcop has been involved in most of the cases.
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!

Top
Page 1 of 1 1


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 476 anonymous users online.
details
Newest Members
batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users
My Cookies · Mark all read Powered by UBB.threads™ Contact Us · KiXtart.org website · Top

Generated in 0.06 seconds in which 0.024 seconds were spent on a total of 12 queries. Zlib compression enabled.
Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org