Hacker on internal net: DHCP

From: dougga (dontsendhere_at_spam.org)
Date: 11/06/04


Date: Fri, 05 Nov 2004 18:50:14 -0800

I've been investigating a strange lease on one of my DHCP servers that as
far as I can tell should not be there for any legitimate reason.

Here are the logs from the server:
2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
eth0

2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
4d:c8:43:bb:8b:a6 (detective)

In my investigation I've run into several people who have seen this exact
MAC address and many reports of this same host name, "detective".  
I'm beginning to suspect a hacker or a worm of some kind.

Here are links to some of the folks who have reported similar findings:
http://archives.neohapsis.com/archives/openbsd/2004-06/1581.html
http://www.ixus.net/resume_messages.php?topic=13792 [in French]
http://www.experts-exchange.com/Networking/Q_21070857.html

Can anyone help shed some light on this?
If you have access to your company's dhcp server, you might take a quick
look at the logs.  Perhaps I'm missing something in an RFC somewhere.

Much thanks for any help

D



Relevant Pages

  • Rogue DHCP Lease... hacker?
    ... I've been investigating a strange lease on one of my DHCP servers that as ... Here are the logs from the server: ... MAC address and many reports of this same host name, ...
    (comp.security.unix)
  • Rogue DHCP Lease... hacker?
    ... I've been investigating a strange lease on one of my DHCP servers that as ... Here are the logs from the server: ... MAC address and many reports of this same host name, ...
    (comp.os.linux.security)
  • Rogue DHCP Lease... hacker?
    ... I've been investigating a strange lease on one of my DHCP servers that as ... Here are the logs from the server: ... MAC address and many reports of this same host name, ...
    (alt.computer.security)