Discussions

Rogue DHCP server

Tags:
+
0 Votes
Locked

Rogue DHCP server

black
Last Monday we started having people getting 192.168.233.xxx IP addresses in the office. An ipconfig shows the IP and mask but no gateway address. The DHCP server IP is 192.168.233.254 but is not pingable. The MAC address is a VMware address. It also keeps changing. WireShark showf IPs in the 192.168.233.xxx range trying to connect to 192.168.233.1 and 192.168.233.254 without success.

We do have 2 wireless networks but they are using different IP ranges. I was able to access one of our switches and extract the ARP table but it does not show either the IP or MAC address of the DHCP server. I do not have access to the other 2 switches and do not have the proper console cables for them. HP is shipping me a pair but they will not be here until next week. I have checked most of the desktops and all the VMs running on our blade server for the MAC address without success. As a software compant we have hundredes of VMs running at any given time for development, QA and support. I have not been able to get any responce from corporate IT since Monday and am about ready to just shut down the the switches one at a time until it stops and then start that shitch again and pull cables until it stops again. Does anyone have a better idea?????

Thanks
  • +
    0 Votes
    NickNielsen Moderator

    Somebody built a VM and didn't bother (or didn't know how) to disable DHCP in the session.

    And why are you buying console cables from HP? If you have physical access to the switch, just use the appropriate cable for the console port: null modem or Cat 5 crossover. I've never seen an HP blade switch, but I've heard that for those you can break out your Blackberry or USB drive cable.

    etu

    +
    0 Votes
    black

    I didn't buy the cables - they gave them to me. They are not blade switches, they are ProCurves and it turns out that they use LapLink cables but they did not tell me that. I got into all the switches and extracted the ARP tables. There are no entries foe the IP or MAC addresses in question.

    Also the MAC address of the DHCP server keeps changing. I have isolated one server where when I unpluged the NIC I would get the proper IP range through DHCP, and when I plugged it back in I would get the 192.168.233.xxx IP. The server is Windows 2003 Standard without any Active Directory stuff installed and only Symantec Endpoint and HP ProCurve Manager installed. It has nor VMware stuff at all. Leaving it off, everything worked fine. AFter about 20 minutes the peoblem resurfaced with the same IP range. This morning at 6:30AM DHCP was working properly. AT 7:00AM I am getting the badIPs. During this time nobody else came into the office. I walked around and checked. However and engineer could have VPNed in and started a VM. I am next going to segment the network with dual homed computers running a Linus firewall passing everything but DHCP to try to track down where this VM or VMs are located. We have well over 500 of them.

    +
    0 Votes
    NickNielsen Moderator

    The MAC is on the network, but it isn't in an ARP table? Unless I've totally misunderstood switching for the past 10 years, that's just not possible. If it's on the network, that MAC has gotta be in an ARP table somewhere.

    The only conclusion I can reach is there's a switch somewhere that you haven't found yet. That or you have multiple systems infected with some kind of server bot.

    Edit: You will probably get more (and better ) help over in the Questions forum. Click on the "Ask a Question" end of the Start a Discussion button and post all the information you've provided here. There are TR peers who hang around in the questions forum, waiting for an opportunity to answer somebody's question. Don't forget to reward the good answers by marking them helpful.

  • +
    0 Votes
    NickNielsen Moderator

    Somebody built a VM and didn't bother (or didn't know how) to disable DHCP in the session.

    And why are you buying console cables from HP? If you have physical access to the switch, just use the appropriate cable for the console port: null modem or Cat 5 crossover. I've never seen an HP blade switch, but I've heard that for those you can break out your Blackberry or USB drive cable.

    etu

    +
    0 Votes
    black

    I didn't buy the cables - they gave them to me. They are not blade switches, they are ProCurves and it turns out that they use LapLink cables but they did not tell me that. I got into all the switches and extracted the ARP tables. There are no entries foe the IP or MAC addresses in question.

    Also the MAC address of the DHCP server keeps changing. I have isolated one server where when I unpluged the NIC I would get the proper IP range through DHCP, and when I plugged it back in I would get the 192.168.233.xxx IP. The server is Windows 2003 Standard without any Active Directory stuff installed and only Symantec Endpoint and HP ProCurve Manager installed. It has nor VMware stuff at all. Leaving it off, everything worked fine. AFter about 20 minutes the peoblem resurfaced with the same IP range. This morning at 6:30AM DHCP was working properly. AT 7:00AM I am getting the badIPs. During this time nobody else came into the office. I walked around and checked. However and engineer could have VPNed in and started a VM. I am next going to segment the network with dual homed computers running a Linus firewall passing everything but DHCP to try to track down where this VM or VMs are located. We have well over 500 of them.

    +
    0 Votes
    NickNielsen Moderator

    The MAC is on the network, but it isn't in an ARP table? Unless I've totally misunderstood switching for the past 10 years, that's just not possible. If it's on the network, that MAC has gotta be in an ARP table somewhere.

    The only conclusion I can reach is there's a switch somewhere that you haven't found yet. That or you have multiple systems infected with some kind of server bot.

    Edit: You will probably get more (and better ) help over in the Questions forum. Click on the "Ask a Question" end of the Start a Discussion button and post all the information you've provided here. There are TR peers who hang around in the questions forum, waiting for an opportunity to answer somebody's question. Don't forget to reward the good answers by marking them helpful.