Networks

General discussion

Locked

DNS Spoof/Hijack/Poison

By hbombvi ·
I'm not sure what the proper terminology is in this matter, but this has been driving me nuts.

Here's the situation. In my network, DHCP is assigned by the router. Everyone once in a while (for the past couple weeks_ when my users turn on their computers they pick up the address of another computer in the network as the DNS server. Now it's always the same address and I've tracked down the computer that I believe is causing this problem but I can't find a thing wrong on it. So far I've run two full Malwarebytes scans and a full Symantec Antivirus scan. Nada!

I've checked that computer a few times now. It never fails to get the right DNS servers from the router.

Now here's the really weird part. In the past when this happened the users who got the wrong DNS entry couldn't access the Internet at all until I asked them to repair their network settings after which they get the right DNS entries. But today I've managed to surf the Internet for a full hour before I realized some slowdown and checked my DNS entry. To my surprise, it was the IP of that very machine.

Anyone ever deal with anything like this? I'd appreciate any ideas.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

This thing is AMAZING

by hbombvi In reply to DNS Spoof/Hijack/Poison

Just to further test, I pull the laptop into my office and plugged it into an isolated hub. Then I plugged my laptop into it.

The infected laptop is definitely running it's own DHCP server. Before it seemed like only the DNS was picking up, but with just my laptop with the infected laptop I'm getting it's IP address as my DHCP server, default gateway AND DNS server. I'm surprised because I did check the services on the laptop to see if DHCP Server Services was running.

Does this offer any additional insight?

Collapse -

Did you read my post?

by Michael Kassner Contributor In reply to This thing is AMAZING

I've pretty much explained more than likely is going on as it's a rather common exploit.

Collapse -

I did

by hbombvi In reply to Did you read my post?

That's where I got the idea to isolate the laptop in order to test it. You nailed it!

Once I update my copy of Ultimate Boot CD I'll probably try to clear whatever is causing the issue from there but for now I don't think it can cause any more harm.

Collapse -

Temporary Fix

by hbombvi In reply to This thing is AMAZING

It doesn't kill whatever causes it, but it puts a fair bandage on it. The best solution I could come up with was to block his DHCP ports with a firewall. I installed Comodo and blocked ports 67 and 68. With the static IP he can still use the Internet. As long as he never needs to use a wired connection anywhere else he'll be fine.

This will at least keep him out of my hair until his office assigns him a work PC.

Thanks again for all the help everyone.

Collapse -

Good idea

by Michael Kassner Contributor In reply to Temporary Fix

I didn't think of using a firewall on the computer in question to block outgoing traffic, very cool.

I'm guessing it might be:

Trojan.Flush.M

If you want to check it out.

Collapse -

As Vincent Furnier once said...

by The 'G-Man.' In reply to DNS Spoof/Hijack/Poison

One look could kill
My pain, your thrill!

Related Discussions

Related Forums