My problem is as follows:
-Windows 2000 Server (Fully Patched)
-DHCP Server with a simple scope of 192.168.0.50 to 252.
-Server is an IBM Netfinity 5000 with dual network cards. One 3Com one IBM Pro. The IBM Pro is Disabled.
Every 15 seconds or so, the DHCP Server records a bad address and fills the entire scope of free addresses with a BAD_ADDRESS reservation. The MAC address changes as it goes along so there is no way to block this. The log file treats it as a conflict. The following (this is taken from log file): (Note the impossible MAC address)
<...>
10,03/22/05,04:21:53,Assign,192.168.0.207,,30303A30663A31663A66623A37653A3530696E66313030303030
13,03/22/05,04:21:53,Conflict,192.168.0.207,BAD_ADDRESS,
13,03/22/05,04:21:53,Conflict,192.168.0.207,BAD_ADDRESS,
10,03/22/05,04:22:05,Assign,192.168.0.209,,30303A30663A31663A66623A37653A3530696E66313030303030
13,03/22/05,04:22:05,Conflict,192.168.0.209,BAD_ADDRESS,
13,03/22/05,04:22:05,Conflict,192.168.0.209,BAD_ADDRESS,
10,03/22/05,04:22:17,Assign,192.168.0.210,,30303A30663A31663A66623A37653A3530696E66313030303030
13,03/22/05,04:22:17,Conflict,192.168.0.210,BAD_ADDRESS,
13,03/22/05,04:22:17,Conflict,192.168.0.210,BAD_ADDRESS,
10,03/22/05,04:22:29,Assign,192.168.0.214,,30303A30663A31663A66623A37653A3530696E66313030303030
<...>
There is only one DHCP Authorized server in the company. DHCPLOC.EXE does not locate a rogue server. This almost seems like some sort of DHCP Filler Virus, but I've found nothing on this topic on any anti-virus sites. I will delete the BAD_ADDRESS reservations in the DHCP server and it will start filling them up once again.
The only change has been changing our network switches from 3Com to Dell. Before removing them and placing them all back, I wanted to find out if anyone else has crossed this issue.
"In space, nobody can hear you click..."
-Windows 2000 Server (Fully Patched)
-DHCP Server with a simple scope of 192.168.0.50 to 252.
-Server is an IBM Netfinity 5000 with dual network cards. One 3Com one IBM Pro. The IBM Pro is Disabled.
Every 15 seconds or so, the DHCP Server records a bad address and fills the entire scope of free addresses with a BAD_ADDRESS reservation. The MAC address changes as it goes along so there is no way to block this. The log file treats it as a conflict. The following (this is taken from log file): (Note the impossible MAC address)
<...>
10,03/22/05,04:21:53,Assign,192.168.0.207,,30303A30663A31663A66623A37653A3530696E66313030303030
13,03/22/05,04:21:53,Conflict,192.168.0.207,BAD_ADDRESS,
13,03/22/05,04:21:53,Conflict,192.168.0.207,BAD_ADDRESS,
10,03/22/05,04:22:05,Assign,192.168.0.209,,30303A30663A31663A66623A37653A3530696E66313030303030
13,03/22/05,04:22:05,Conflict,192.168.0.209,BAD_ADDRESS,
13,03/22/05,04:22:05,Conflict,192.168.0.209,BAD_ADDRESS,
10,03/22/05,04:22:17,Assign,192.168.0.210,,30303A30663A31663A66623A37653A3530696E66313030303030
13,03/22/05,04:22:17,Conflict,192.168.0.210,BAD_ADDRESS,
13,03/22/05,04:22:17,Conflict,192.168.0.210,BAD_ADDRESS,
10,03/22/05,04:22:29,Assign,192.168.0.214,,30303A30663A31663A66623A37653A3530696E66313030303030
<...>
There is only one DHCP Authorized server in the company. DHCPLOC.EXE does not locate a rogue server. This almost seems like some sort of DHCP Filler Virus, but I've found nothing on this topic on any anti-virus sites. I will delete the BAD_ADDRESS reservations in the DHCP server and it will start filling them up once again.
The only change has been changing our network switches from 3Com to Dell. Before removing them and placing them all back, I wanted to find out if anyone else has crossed this issue.
"In space, nobody can hear you click..."