Hacker on internal net: DHCP
From: dougga (dontsendhere_at_spam.org)
Date: Fri, 05 Nov 2004 18:50:14 -0800
I've been investigating a strange lease on one of my DHCP servers that as
far as I can tell should not be there for any legitimate reason.
Here are the logs from the server:
2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
In my investigation I've run into several people who have seen this exact
MAC address and many reports of this same host name, "detective".
I'm beginning to suspect a hacker or a worm of some kind.
Here are links to some of the folks who have reported similar findings:
http://www.ixus.net/resume_messages.php?topic=13792 [in French]
Can anyone help shed some light on this?
If you have access to your company's dhcp server, you might take a quick
look at the logs. Perhaps I'm missing something in an RFC somewhere.
Much thanks for any help