Funny stuff in my dhcp table

[Red Squirrel]

Has anyone seen anything like this before?

Is it H4X0Rs trying to get DHCP off my external interface? Is that even possible? Whatever it is, it is stopping any win2k VM from getting an IP, but win2k3 VMs are fine... well the 254 entry is actually the win2k vm but its not actually getting that IP.

I cleared it all and everything is gone but the win2k3 box is still getting a .128 address (range starts at 100) and the win2k box is still getting the 254 IP (well according to the table) but not showing at all in windows itself.

And if it was some kind of exploit, those mac addresses would have to be all the same right? (mac address of the interface of my ISP's equipment that I'm plugged into) So its more like random data going and producing these weird results. This is an older model linksys router.

 

[spidey07]

secure you're wireless. You are being actively hacked.

-edit- and once a dhcp client obtains an address, it will normally keep it. hence why tbe clients you're talking about get the same addresses.

 

[Red Squirrel]

Nope no wireless on this router, and no wireless access points anywhere, and if I did have wireless it would be secured, unlike all those noobs out there that just leave it wide open.

I did notice something really weird going on my network though. Easier to just look at the scan. (hopefully this wont reveil confidencial info that I'll regret but cant see anything potentially secret in there really...)

http://www.iceteks.com/misc/dhcp.cap

The win2k box is 00-0C-29-52-C4-96

I have a win2k3 VM which works fine, and yeah it makes sense now that its still getting .128 since I had forgotten about that, DHCP reasigns the same IP to the same mac if it can.

I blew away the VM and replaced it with my master VM, and still doing this issue. Now the master VM has tons of disabled services and stuff so its still a potential that its a problem at win2k's end, though this VM DID work before. But I recently added a linux domain controller to my network, so maybe somehow the issue is with that, though I can't see how. (the DC is not being used yet - I was actually just about to test it out till I ran into this issue)


Oh another thing, if I try to do an ipconfig /renew (under admin account) on the win2k box I get this:

The following error occurred when renewing adapter Local Area Connection: Unexpe
cted network failure or insufficient access

 

[Cloud Strife]

Oh another thing, if I try to do an ipconfig /renew (under admin account) on the win2k box I get this:

The following error occurred when renewing adapter Local Area Connection: Unexpe
cted network failure or insufficient access

Is this in an Active Directory network. I assume so if you have a Windows 2003 box. Try logging under Domain administrator and renewing your IP again.

How is your network being broken in if you don't have any wireless access points?

 

[Red Squirrel]

The win2k3 boxes arn't on a domain so no AD environment. I'm actually wanting to migrate everything to a linux domain controller so the DC is running but no joined boxes yet. No weird clients in my DHCP table so far though, but the win2k box does apear on and off if I turn it on. But from windows, it wont actually show/use the IP.

 

[Red Squirrel]

Just bumping this, I find this a rather weird, but interesting issue, and still trying to find out the cause of it.

 

[stash]

Now the master VM has tons of disabled services and stuff so its still a potential that its a problem at win2k's end

Ayup.

What services did you disable? Why?

Although, I have a feeling it has to do with VMWare. Are you running the VMWare DHCP? That could be what's causing the NAK.

The first IP in your list comes back to DISANET, part of DoD. The others appear to be from ISP blocks.

 

[Red Squirrel]

Hmm scary, could it actually be someone from DoD trying to get on my network or something?


I solved the issue with the win2k box not getting an IP though. Somehow it was a mac conflict. Its possible I guess, in VMware, as it could generate the same mac twice, though I did not find which other machine had that mac. But changing the mac solved the issue.