DHCP delievers wrong addresses

[Boris Haghofer]

Hi folks!

We have a W2K-Domain with a DHCP-Server installed on one
of our Domaincontrollers.
All worked fine for months but suddenly all clients get
strange ips from the/a Dhcp-Server without having made
changes on the DC.
We are using the ip-range 192.168.193.* and the clients
are getting ips of this format: 192.168.117.*

We have checked all configurations but didnt find the
failure so far.

When i type ipconfig \all i get another dhcp-server with a
192.168.117. IP. But there isnt such an ip in our network!

Can anybody give me hints or lead me to a solution?
Could this be a kind of virus or something similar?

kind regards
Boris Haghofer

 

[John LeMay]

When i type ipconfig \all i get another dhcp-server with a
192.168.117. IP. But there isnt such an ip in our network!

Apparantly there is. I'd advise tracking down that machine by whatever
means you have. I'd suggest using nbtstat to see if anyone is logged into
the machine. If you recognise a user id, you have the culprit. Depending
on the environment you could check the switch configuration for a port
reporting a mac address matching the mac address on that rogue dhcp
server. Use getmac to get the mac address from ip - although I think
nbtstat reports it as well.

--
John LeMay
kc2kth
Senior Technical Manager
NJMC | http://www.njmc.com | Phone 732-557-4848
Specializing in Microsoft and Unix based solutions

 

[Ace Fekay [MVP]]

Could even be the router.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Shane Brasher]

Hello All,

I would also check the DHCP logs to see if there are any rogue DHCP servers
out there on the wire.

By default the DHCP log path is C:\WINNT\System32\dhcp. The logs will have
an extension that correlates with the day of the week. (example:
DhcpSrvLog.Sat for the log created on Sat.) The logs can be opened with
notepad.

Log Analysis is relatively simple. Any code over 50 is used for rogue
server detection.

Example:
51, 01/13/03, 04:35:29:51, Authorization succeeded, parent.com

If an authorized DHCP server detects another unauthorized DHCP server a
code 62 will be logged along with an IP address of the offending server.

Example:
62, 01/13/03, 04:35:29:61, Another server found, 192.168.1.5

Once detected, find that device and unplug from the network.

The log entries for the clients will show a IP assignment in the log.

Example:
10,01/14/03,05:24:45,Assign,10.88.1.21,test.,000103D09796
11,01/14/03,05:24:48,Renew,10.88.1.21,test.,000103D09796

Machine name is "test"

Code 10 is a new IP address was leased to a client.
Code 11 is a lease was renewed by a client.

This can be used as a troubleshooting tool. If a client receives an bogus
IP address and is NOT showing up in the logs most likely it is receiving a
lease from an unauthorized device. Check the server entry codes 50 and
above for the rogue device.

Netmon
A client side netmon trace will help ascertain what device is actively
participating as a DHCP server. Look at the DHCP OFFER, take note to the
DHCP "server identifier" field for the IP address of the DHCP service. This
can be used in conjunction with the DHCP server logs as two forms of a
cross reference against each other. Example on the next slide.

DHCP: Server IP Address (siaddr) = 157.57.131.133
DHCP: Relay IP Address (giaddr) = 157.57.56.1
DHCP: Client Ethernet Address (chaddr) = 00C04F52BFDA
DHCP: Server Host Name (sname) = <Blank>
DHCP: Boot File Name (file) = <Blank>
DHCP: Magic Cookie = 99.130.83.99
DHCP: Option Field (options)
DHCP: DHCP Message Type = DHCP Offer
DHCP: Subnet Mask = 255.255.248.0
DHCP: Renewal Time Value (T1) = 8 Days, 0:00:00
DHCP: Rebinding Time Value (T2) = 14 Days, 0:00:00
DHCP: IP Address Lease Time = 16 Days, 0:00:00
DHCP: Server Identifier = 157.57.131.133

The server identifier is 157.57.131.133 which is the DHCP server.

I hope this helps.


Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking