[NTLUG:Discuss] DHCP Vulnerability?
Jim Goode
JGoode at GoToLearn.org
Fri Aug 13 17:11:13 CDT 2004
-----Original Message-----
>>From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org]On
>>Behalf Of Jim Goode
>>Sent: Friday, August 13, 2004 2:55 PM
>>To: discuss at ntlug.org
>>Subject: [NTLUG:Discuss] DHCP Vulnerability?
>>
>>
>>I am running an e-Smith/Mitel SME server with DHCP enabled.
>>The server
>>supports desktops that are running MS Windows 2000 Professional.
>>
>>Earlier today (and several times over the past 2 months) I lost
>>connectivity to the server from my desktop. This time I
>>discovered that
>>the IP assigned to my desktop was not in the DHCP range I had
>>specified
>>on the server. I spot checked a couple of other desktops and they had
>>the same problem. The 1st and 2nd octet that had been
>>assigned remained
>>constant (169.254.) but the 3rd and 4th were quite different
>>(113.233,
>>133.162, and 233.134). I use 192.168 for my internal LAN.
>>
>>
>
>The 169.254.x.x range is part of APIPA (Automatic Private Internet Protocol Addressing): http://www.google.com/search?hl=en&ie=UTF-8&q=apipa&btnG=Google+Search. It means that your desktop never got a response from your DHCP server so it magicked up an IP address from that range (after checking that noone else was using it).
>
>
Thanks. Another person pointed me to the MS knowledge base that
explained this feature(?).
>
>
>>After researching some web sites, I see that US-CERT reported a DHCP
>>vulnerability on June 22, 2004 (VU# 317350 and 654390).
>>
>>1) Could my problem be related to one of these vulnerabilities?
>>
>>
>
>Probably not. Is dhcpd running on the server? Any funky messages in /var/log/messages?
>
>
Yes, DHCP is enabled and running. I get message like the following, but
nothing else out of the ordinary.
Aug 13 13:04:25 s01 /usr/sbin/named[1658]: client 192.168.0.112#2876:
update denied
Aug 13 13:04:25 s01 /usr/sbin/named[1658]: client 192.168.0.112#2881:
update denied
Aug 13 13:04:26 s01 /usr/sbin/named[1658]: dynamic update failed: 'RRset
exists (value dependent)' prerequisite not satisfied
(NXRRSET)
We have been taking intermittent network errors for the past month or
two. The building lost it's network person and the switches and routers
are in a part of the building that I don't have access to. The last two
times I lost server access from my desktop, I was able to log onto the
server directly and still see a second server and the also Internet.
Some of the desktop PCs cleared up the network issue by themselves and
some required a reboot.
>
>
>>2) Could my server have a virus?
>>
>>
>
>Highly doubtful. There are very few Linux viruses. If it were anything, I would think that you might have been broken into. Is the server directly accessible from the Internet?
>
>
It is accessible through the router which has most ports filtered out.
>
>
>>3) If yes, how can I find and remove the virus?
>>
>>
>
>http://www.mcafeesecurity.com/us/downloads/evals/ - look for "McAfee VirusScan Command Line Scanner for Linux."
>
>
Thanks.
>
>
>>4) Is there a patch for the DHCP problem? The SME server is
>>based on Red
>>Hat 7.2 under the covers and RH no longer supports this release.
>>
>>
>
>Might not be a bad idea to go to http://www.isc.org/ and grab the latest version (ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.1.tar.gz as of right now). Remove your old version of dhcp (rpm -e dhcpd) and then install the downloaded version.
>
>Alternatively, you can grab a source RPM from one of the newer Red Hat distros at http://rpmfind.net/linux/rpm2html/search.php?query=dhcp&submit=Search+...&system=&arch= and rebuild it for your server. Use either rpmbuild --rebuild [source rpm] or rpm --rebuild [source rpm]. I don't have an old RH 7.2 box laying around to test so please report back your results.
>
>
Thanks.
>
>
>>Thank you for your time and response,
>>Jim
>>
>>
>
>
>
--
Jim Goode, SCSA (JGoode at GoToLearn.org)
Director IT and Software Development
972-543-4291, 1-877-465-3276
GoToLearn Inc., 2201 Avenue K, Suite A1, Plano, TX 75074
http://www.GoToLearn.org
More information about the Discuss
mailing list