Hacker on internal net: DHCP
From: dougga (dontsendhere_at_spam.org)
Date: 11/06/04
- Next message: donnie: "Re: Rogue DHCP Lease... hacker?"
- Previous message: dougga: "Re: Administration password"
- In reply to: dougga: "Rogue DHCP Lease... hacker?"
- Next in thread: Moe Trin: "Re: Hacker on internal net: DHCP"
- Reply: Moe Trin: "Re: Hacker on internal net: DHCP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 05 Nov 2004 18:50:14 -0800
I've been investigating a strange lease on one of my DHCP servers that as
far as I can tell should not be there for any legitimate reason.
Here are the logs from the server:
2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
eth0
2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
4d:c8:43:bb:8b:a6 (detective)
In my investigation I've run into several people who have seen this exact
MAC address and many reports of this same host name, "detective".
I'm beginning to suspect a hacker or a worm of some kind.
Here are links to some of the folks who have reported similar findings:
http://archives.neohapsis.com/archives/openbsd/2004-06/1581.html
http://www.ixus.net/resume_messages.php?topic=13792 [in French]
http://www.experts-exchange.com/Networking/Q_21070857.html
Can anyone help shed some light on this?
If you have access to your company's dhcp server, you might take a quick
look at the logs. Perhaps I'm missing something in an RFC somewhere.
Much thanks for any help
D
- Next message: donnie: "Re: Rogue DHCP Lease... hacker?"
- Previous message: dougga: "Re: Administration password"
- In reply to: dougga: "Rogue DHCP Lease... hacker?"
- Next in thread: Moe Trin: "Re: Hacker on internal net: DHCP"
- Reply: Moe Trin: "Re: Hacker on internal net: DHCP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
