Jump to content
Sign in to follow this  
jan

Rogue DHCP Server

Recommended Posts

jan

I tracked down (via wireshark bootp, mac and asset tag info in the DHCP stream), isolated and quarantined an rogue DHCP Server on our network. It really wreaked havoc, basically all clients that received the poisonous DHCP offer, where paralyzed from the network.

I REALY need HELP, downloaded many rootkit scanners, applications etc. but none could find any infection on this particular asset??? Help help please… in isolating the thread on the asset, and create a remediation strategy to scan the network. TIA

Share this post


Link to post
schuydorsey

Well if it was actually compromised, many scanners may not find any rootkits. I would suggest manual inspection.

The first decision you really want to make is if you're going to want to pursue legal action. If the answer is yes, then you may want to hire professionals responders as many of your actions could render the evidence inadmissible.

Share this post


Link to post
Noel

One of the tell-tale signs of a network being infected with malwares or other forms of rogue software is abnormal traffic to and from workstation to your resources you can try to analyze network traffic. I found it useful to monitor and isolate packets using wireshark or even looking at the router itself for this kind of behavior.

i.e. There was this time in the early 2000s that my company obtained a dsl modem infected with a malware from a telco. I was still a junior network administrator back then but already tasked to find the culprit. Although I had knowledge of networking back then it was really hard to pinpoint which device or devices in the network is sending huge amounts of data. So what I did was to observe our network hub and detach one lan cable after the other to finally pin point the offending device.

Share this post


Link to post
jan

Thank you Guys.. its very frustrating so far I was not able to isolate the program that is responsible for an roque DHCP server. Even though I have the infected laptop quarantined, I am simple not able to isolate the infection!!

Even with Hakin9 books, you guys, and Mark Russinovich " Malware Hunting with the Sysinternals Tools " from TechEd North America 2012 @ http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/SIA302... nothing!!

Maybe I'm simple looking into the wrong corner, ideas???

Share this post


Link to post
robertray

Did you try looking for a rogue WiFi access point?

I would also think if you use wireshark you could see DHCP responses as these are broadcasts, this would give you the mac and you can look up the vendor from that. Knowing the vendor might help determine what type of device, reducing the number of needles in your haystack

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×