Rogue DHCP Lease... hacker?
 

I've been investigating a strange lease on one of my DHCP servers that as
far as I can tell should not be there for any legitimate reason.

Here are the logs from the server:
2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
eth0
2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
4d:c8:43:bb:8b:a6 (detective)

In my investigation I've run into several people who have seen this exact
MAC address and many reports of this same host name, "detective".

I'm beginning to suspect a hacker or a worm of some kind.

Here are links to some of the folks who have reported similar findings:

http://archives.neohapsis.com/archiv...4-06/1581.html
http://www.ixus.net/resume_messages.php?topic=13792 [in French]
http://www.experts-exchange.com/Netw..._21070857.html

Can anyone help shed some light on this?
If you have access to your company's dhcp server, you might take a quick
look at the logs. Perhaps I'm missing something in an RFC somewhere.

Much thanks for any help

D

Re: Rogue DHCP Lease... hacker?
 

On Wed, 03 Nov 2004 23:47:05 -0800, dougga <dontsendhere@spam.org>
wrote:

>I've been investigating a strange lease on one of my DHCP servers that as
>far as I can tell should not be there for any legitimate reason.
>
>Here are the logs from the server:
>2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
>eth0
>2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
>4d:c8:43:bb:8b:a6 (detective)
>
>In my investigation I've run into several people who have seen this exact
>MAC address and many reports of this same host name, "detective".
>
>I'm beginning to suspect a hacker or a worm of some kind.
>
>Here are links to some of the folks who have reported similar findings:
>
>http://archives.neohapsis.com/archiv...4-06/1581.html
>http://www.ixus.net/resume_messages.php?topic=13792 [in French]
>http://www.experts-exchange.com/Netw..._21070857.html
>
>Can anyone help shed some light on this?
>If you have access to your company's dhcp server, you might take a quick
>look at the logs. Perhaps I'm missing something in an RFC somewhere.
>
>Much thanks for any help
>
>D
##############################
I assume all that is happening on a wireless network. Look at the
following URL,
http://216.239.41.104/search?q=cache...hl=en&ie=UTF-8

See if that helps.
donnie

Re: Rogue DHCP Lease... hacker?
 

donnie wrote:

> On Wed, 03 Nov 2004 23:47:05 -0800, dougga <dontsendhere@spam.org>
> wrote:
>
>>I've been investigating a strange lease on one of my DHCP servers that as
>>far as I can tell should not be there for any legitimate reason.
>>
>>Here are the logs from the server:
>>2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
>>eth0
>>2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
>>4d:c8:43:bb:8b:a6 (detective)
>>
>>In my investigation I've run into several people who have seen this exact
>>MAC address and many reports of this same host name, "detective".
>>
>>I'm beginning to suspect a hacker or a worm of some kind.
>>
>>Here are links to some of the folks who have reported similar findings:
>>
>>http://archives.neohapsis.com/archiv...4-06/1581.html
>>http://www.ixus.net/resume_messages.php?topic=13792 [in French]
>>http://www.experts-exchange.com/Netw..._21070857.html
>>
>>Can anyone help shed some light on this?
>>If you have access to your company's dhcp server, you might take a quick
>>look at the logs. Perhaps I'm missing something in an RFC somewhere.
>>
>>Much thanks for any help
>>
>>D
> ##############################
> I assume all that is happening on a wireless network. Look at the
> following URL,
>
http://216.239.41.104/search?q=cache...hl=en&ie=UTF-8
>
> See if that helps.
> donnie

donnie wrote:

> I assume all that is happening on a wireless network.Â*Â*Â*LookÂ*atÂ*the
> following URL,
>
http://216.239.41.104/search?q=cache...hl=en&ie=UTF-8
>
> See if that helps.
> donnie

Donnie,

Thanks for the response. The article you've fond is a good overview of
wireless vulnerabilities but I don't see a relationship to my post.
Neither the mac address nor the word 'detective' shows up in the article.

As for my topology, no, I do not have a wireless network on this network.
I have a robust hardware firewall with reasonably sophisticated intrusion
detection mechanism in place.

This is why I'm puzzled as to this machine showing up on my internal
interface/network to gain a DHCP lease.

If you have information pertaining to what this might mean with specific
reference to the others around the world who have seen BOTH this mac
address and machine name, I would very much appreciate any help.

Much thanks,

~Doug

Hacker on internal net: DHCP
 

I've been investigating a strange lease on one of my DHCP servers that as
far as I can tell should not be there for any legitimate reason.

Here are the logs from the server:
2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
eth0

2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
4d:c8:43:bb:8b:a6 (detective)

In my investigation I've run into several people who have seen this exact
MAC address and many reports of this same host name, "detective".Â*Â*
I'm beginning to suspect a hacker or a worm of some kind.

Here are links to some of the folks who have reported similar findings:
http://archives.neohapsis.com/archiv...4-06/1581.html
http://www.ixus.net/resume_messages.php?topic=13792 [in French]
http://www.experts-exchange.com/Netw..._21070857.html

Can anyone help shed some light on this?
If you have access to your company's dhcp server, you might take a quick
look at the logs.Â*Â*PerhapsÂ*I'mÂ*missingÂ*somethingÂ*inÂ*anÂ*RFCÂ*somewhere.

Much thanks for any help

D

Re: Rogue DHCP Lease... hacker?
 

On Fri, 05 Nov 2004 13:41:55 -0800, dougga <dontsendhere@spam.org>
wrote:

>Donnie,
>
>Thanks for the response. The article you've fond is a good overview of
>wireless vulnerabilities but I don't see a relationship to my post.
>Neither the mac address nor the word 'detective' shows up in the article.
>
>As for my topology, no, I do not have a wireless network on this network.
>I have a robust hardware firewall with reasonably sophisticated intrusion
>detection mechanism in place.
>
>This is why I'm puzzled as to this machine showing up on my internal
>interface/network to gain a DHCP lease.
>
>If you have information pertaining to what this might mean with specific
>reference to the others around the world who have seen BOTH this mac
>address and machine name, I would very much appreciate any help.
>
>Much thanks,
#########################
As far as I know, MAC address spoofing can be done on a wired network
too. It was some years ago before wireless became popular that I heard
about it. I searched the MAC address that you posted and one in one
of the other URLs in one of the MAC address vendor locator sites and
neither one showed up. I don't think the idea is to find an exact MAC
address or machine name match because it can be made to say anything.
If your network is totally wired, I would start looking for a tojan.
Also, what OSes, IDS, firewall are you ruuning, server, clients,
services, etc....?
If it's a windows based network, do the event logs say anything?
donnie

Re: Hacker on internal net: DHCP
 

In article <_ZWdnQKdC9V7phHcRVn-pg@speakeasy.net>, dougga wrote:

>I've been investigating a strange lease on one of my DHCP servers that as
>far as I can tell should not be there for any legitimate reason.

Is the host still there? Use a network sniffer to confirm/deny. How
big is your net? Are you using coax, or twisted pair? If twisted pair,
are you using a hub, or switch? If a switch, which port does the
switch say this MAC address is on? You posted using KNode, which is
part of KDE - try using nmap to look for that hardware.

>2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
>eth0

[compton ~]$ etherwhois 4d:c8:43
Non-existent address as of Oct 31 09:26:22 MST 2004 OUI file
[compton ~]$

The address has not been assigned by IEEE, so it's a forgery by
someone. http://standards.ieee.org/regauth/oui/oui.txt

Old guy

Re: Hacker on internal net: DHCP
 

Moe Trin wrote:

> In article <_ZWdnQKdC9V7phHcRVn-pg@speakeasy.net>, dougga wrote:
>
>>I've been investigating a strange lease on one of my DHCP servers that as
>>far as I can tell should not be there for any legitimate reason.
>
> Is the host still there? Use a network sniffer to confirm/deny. How
> big is your net? Are you using coax, or twisted pair? If twisted pair,
> are you using a hub, or switch? If a switch, which port does the
> switch say this MAC address is on? You posted using KNode, which is
> part of KDE - try using nmap to look for that hardware.
>
>>2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
>>eth0
>
> [compton ~]$ etherwhois 4d:c8:43
> Non-existent address as of Oct 31 09:26:22 MST 2004 OUI file
> [compton ~]$
>
> The address has not been assigned by IEEE, so it's a forgery by
> someone. http://standards.ieee.org/regauth/oui/oui.txt
>
> Old guy

That's good information, it adds further clout to the conspiracy theories.

The interesting thing is that others around the world have seen the exact
match between this MAC and dhcp station name.

Much thanks

Re: Rogue DHCP Lease... hacker?
 

donnie wrote:

> On Fri, 05 Nov 2004 13:41:55 -0800, dougga <dontsendhere@spam.org>
> wrote:
>
>>Donnie,
>>
>>Thanks for the response. The article you've fond is a good overview of
>>wireless vulnerabilities but I don't see a relationship to my post.
>>Neither the mac address nor the word 'detective' shows up in the article.
>>
>>As for my topology, no, I do not have a wireless network on this network.
>>I have a robust hardware firewall with reasonably sophisticated intrusion
>>detection mechanism in place.
>>
>>This is why I'm puzzled as to this machine showing up on my internal
>>interface/network to gain a DHCP lease.
>>
>>If you have information pertaining to what this might mean with specific
>>reference to the others around the world who have seen BOTH this mac
>>address and machine name, I would very much appreciate any help.
>>
>>Much thanks,
> #########################
> As far as I know, MAC address spoofing can be done on a wired network
> too. It was some years ago before wireless became popular that I heard
> about it. I searched the MAC address that you posted and one in one
> of the other URLs in one of the MAC address vendor locator sites and
> neither one showed up. I don't think the idea is to find an exact MAC
> address or machine name match because it can be made to say anything.
> If your network is totally wired, I would start looking for a tojan.
> Also, what OSes, IDS, firewall are you ruuning, server, clients,
> services, etc....?
> If it's a windows based network, do the event logs say anything?
> donnie

OSes on my internal net:

Windows Server 2003 - new install for testing only
SMB - Named - kitchen sink that comes standard
SuSE 9.1pro - server
SMB - NFS - VNC - NTPd - Rsync
SuSE 9.1pro/WinXP pro - Workstation nearly always Linux

SuSE 9.1pro/WinXP pro - rarely used
SuSE 9.1pro - server - rarely used

Firewall: Astaro Security Linux - v5
DHCPD -
Proxies: HTTP DNS SMTP POP
Firewall event logs just show the lease being established. That's it.

THanks for any info.

Re: Rogue DHCP Lease... hacker?
 

In article <LYudnfk3f-9p6Q3cRVn-vA@speakeasy.net>, dougga wrote:

>OSes on my internal net:

>Windows Server 2003 - new install for testing only

>SuSE 9.1pro - server

>SuSE 9.1pro/WinXP pro - Workstation nearly always Linux

>SuSE 9.1pro/WinXP pro - rarely used
>SuSE 9.1pro - server - rarely used

OK - for those four Linux installations - SuSE is 'rpm' based, so you
can use that to look over the systems. You can also dig up a copy of
'chkrootkit' but take the information with a ten kilogram block of salt,
especially on SuSE, which does some things differently. The cut below is
a 'canned' response to a suspected Linux system compromise. Read it all
the way through before trying it. Also look at the man page for rpm for
further details.

>Firewall: Astaro Security Linux - v5
> DHCPD -
> Proxies: HTTP DNS SMTP POP

Just curious - with five systems on the net, why are you using DHCP? I'm
not familiar with Astaro, other than knowing it's a German development.
If it's rpm based, you can try the stuff below. You may also be able to
run chkrootkit on it. If Astaro is Debian based (using the Debian package
manager apt), see if there is a 'debsums' program (debsums -s can be used
in the same way as rpm -V).

In the future, look at the 'tripwire' program - that won't help now, because
you don't have a virgin system snapshot to compare against.

--------rpm -V trick--------------
OK, bring the box up single user. Move (repeat, MOVE, not copy) /bin/ps to
some safe place, and copy any other file to /bin/ps

/bin/mv /bin/ps /bin/ps.original
/bin/cp /etc/services /bin/ps

OK, do you see what I've just done? Note: if you are not permitted to move
/bin/ps, use the '/usr/bin/lsattr /bin/ps' command to see if the -i flag is
set. If it is, the game is over, You can use 'usr/sbin/chattr -i /bin/ps'
command to reset the immutable bit, but this was a SURE sign that your box
is 0wn3d.

Now use the rpm command to see what happens.

/bin/rpm -V procps

and watch that rpm freaks out when it discovers that /bin/ps is not what
/bin/ps should be. See the rpm man page for an explanation of the flags.

SM5....T /bin/ps

Now, before you do _anything_ else, move /bin/ps.original back to /bin/ps.
When I did this originally, I was so happy that it worked the way it did,
that I forgot to do the move. Two hours later, I discovered that I could
not su, strace, etc. And I wasn't root any more. Oops! (I was able to go to
another virtual terminal and log in there as root). Remember to use the
MOVE ( /bin/mv ), not copy, command, to avoid messing with the file date
stamps.

NOTE: I illustrate this test using /bin/ps, but you can use _ANY_ program
that a script kiddie is likely to replace. These include /bin/login,
/bin/ls, /usr/bin/top, /usr/bin/find, /usr/bin/diff, and so on, or even
/bin/bash itself. You _do_ need to know what rpm package the file you
changed came in. Use 'rpm -qf /name/of/file' to get that information.

If rpm doesn't report problems, your box is toast. Wipe it and reload from
scratch. You may be able to salvage /home/, but after reinstalling, I would
do a find for root owned files or directories and unknown groups and users
in /home before bringing it back online.

find /home/ \( -user 0 -o -group 0 \) -exec ls -lad {} \;
find /home/ \( -nouser -o -nogroup \) -exec ls -lad {} \;

If rpm does indeed freak out, then do a global test.

/bin/rpm -Va > files_2_check

NOTE: This rpm -Va does not ensure that your box is not otherwise subverted.
What it _does_ do is to tell you if find, ls, lsmod, fuser, ps, and so on
are probably not bogus. This test does not check files installed by means
other than rpm, which is why you need find, and so on. Obviously, you should
also install _all_ applicable updates, too. Remember, this check does NOT
check /etc/passwd, /etc/shadow, /etc/inetd.conf (xinetd in RH7.0+), so you
have to inspect those files manually to see if there is something "new".
Look specifically at the last lines of these files.

One significant point to CAUTION you about is FALSE ALARMS. Even a brand new
box just installed is going to have something pop into files_2_check. On
this work-station, that file lists 92 items, about 40 of which are /dev/
with permission/ownership changes. About 20 more are normal configuration
files like /etc/hosts.allow (you _did_ set that, didn't you???)

If you are properly paranoid, you will keep copies of rpm and the rpm
database (in /var/lib/rpm/) off line, or on a different computer. Also, just
to feel good, I run this check (as root) weekly.
--------end rpm -V trick -------------

Old guy

Re: Rogue DHCP Lease... hacker?
 

On Mon, 08 Nov 2004 23:42:42 -0800, dougga <dontsendhere@spam.org>
wrote:

>OSes on my internal net:
>
>Windows Server 2003 - new install for testing only
> SMB - Named - kitchen sink that comes standard
>SuSE 9.1pro - server
> SMB - NFS - VNC - NTPd - Rsync
>SuSE 9.1pro/WinXP pro - Workstation nearly always Linux
>
>SuSE 9.1pro/WinXP pro - rarely used
>SuSE 9.1pro - server - rarely used
>
>Firewall: Astaro Security Linux - v5
> DHCPD -
> Proxies: HTTP DNS SMTP POP
> Firewall event logs just show the lease being established. That's it.
>
>THanks for any info.
#######################
The first thing that stands out in my mind is SMB. Go to
http://web.textfiles.com/hacking/
and d/l The MH Desk Reference (MH = Modern Hackers)
There is a lot on SMB and it's vulnerabilities.
donnie.