Investigating Hacker, Worm, or Backdoor

Discussion in 'Computer Security' started by dougga, Nov 8, 2004.

  1. dougga

    dougga Guest

    I've been investigating a strange lease on one of my DHCP servers thatshould
    not be there for any legitimate reason.
    The DHCP server is embedded within my firewall: Astaro Security Linux v5
    which I've felt is a robust and secure system. I'm puzzled about what I'm
    seeing here, though.

    Here are the logs from the server:
    2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
    eth0
    2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
    4d:c8:43:bb:8b:a6 (detective)

    In my investigation I've run into several people throughout the world who
    have seen this exact MAC address and many reports of this same host name,
    "detective".  I'm beginning to suspect a hacker, a backdoor on the
    firewall, a worm of some kind, or a Microsoft security "feature". No way
    to tell.

    Here are links to some of the folks who have reported similar findings:
    http://archives.neohapsis.com/archives/openbsd/2004-06/1581.html
    http://www.ixus.net/resume_messages.php?topic=13792 [in French]
    http://www.experts-exchange.com/Networking/Q_21070857.html

    If you have access to your company's dhcp server, you might take a quick
    look at the logs.  

    Here's my network setup:
    Astaro Security Linux (Firewall) (3 interfaces: wireless, internal &
    external)
    SuSE Linux 9.1 Server
    SuSE Linux 9.1 Workstation
    Windows Server 2003 Test Server (now running "for small Business" package)
    Windows XP/SuSE Linux 9.1 Workstation

    Can anyone help shed some light on this?

    Much thanks for any help

    D
     
    dougga, Nov 8, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. DigitalVinyl
    Replies:
    0
    Views:
    625
    DigitalVinyl
    Jul 18, 2005
  2. Gunjani

    Investigating Users on Computer with XP

    Gunjani, Jan 5, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    413
  3. Au79

    MICROSOFT Investigating High-Risk IE Flaw

    Au79, Sep 3, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    438
  4. The Other Guy

    [NEWS] Hacker code could unleash Windows worm

    The Other Guy, Jul 27, 2003, in forum: Computer Security
    Replies:
    7
    Views:
    911
    sigsegv
    Jul 30, 2003
  5. Russell Smithies

    idiot blaster worm hacker caught :-)

    Russell Smithies, Sep 1, 2003, in forum: NZ Computing
    Replies:
    10
    Views:
    491
    Robert Kramer
    Sep 1, 2003
Loading...

Share This Page