Disturbing DHCP Situation - Network

This is a discussion on Disturbing DHCP Situation - Network ; Hello Everybody, I've been having a strange, disturbing, bizarre DHCP situation on my home network, and am at a loss as to what to do next... For a little over a week, about once or twice a day, my network ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Disturbing DHCP Situation

  1. Disturbing DHCP Situation

    Hello Everybody,

    I've been having a strange, disturbing, bizarre DHCP situation on my
    home network, and am at a loss as to what to do next...

    For a little over a week, about once or twice a day, my network gets
    hijacked. My network connection gets dropped, and when DHCP renews I
    get IP addresses different from my private 192.168.*.* addresses that
    the router is supposed to serve.

    Background:
    4 Windows PCs - 3 Win98, 1 WinXP Home - service packs and patches up
    to date, AVG Anti-virus on all, no strange programs found in task list
    on any machine.
    GigaFast EE400-R Router. Comcast cable connection on RCA cable modem.

    When the hijack starts, I am usually at one of the PCs and using
    Internet Explorer. I haven't found a correlation as to a specific
    trigger which starts the wierdness. The Win98 PCs simply lose
    connectivity, XP complains that "A network cable is unplugged" then
    eventually comes back with a radically different IP address - some
    have been other addresses on the Comcast subnet, some from 68.87.*
    which I have not been able to identify, other times as a 169.* or
    different 192.168.* non-routable private subnet. The Gateway is also
    set to a different public IP address. All of the addresses are
    different each time - even if two machines have come back up under
    these circumstances, the IP, Gateway, and DNS entries show no common
    values.

    If I let it continue long enough, the router goes wonky, with each
    column of lights flashing slowly in sequence.

    When hijacked, I can connect to the internet. One tracert to the
    gateway IP I was assigned showed many hops with just * rather than IPs
    or DNS names.

    Powering down the modem, router, and PCs and restarting returns me to
    my expected configuration. The router is configured to not allow
    management from the WAN, and has a strong password. After reboot, none
    of the settings are changed from what I expect.

    I'm not running any servers or P2P clients. No warez, no downloaded
    demos. I do frequently use RealPlayer on one machine, but it's been
    months since this version was installed. I occasionally use AIM, but
    it has never been running when the hijack occurs. Every now and then I
    muse about the integrity of AVG Anti-virus, but I have used it for
    years and have never had or heard of someone else having issue with it
    being anything but a solid, free, AV scanner.

    I expect that I have a trojan somewhere that I've yet been unable to
    uncover. I've downloaded and run a Trojan detector called Trojan
    Guarder, which had high approval from other users on CNET. It had me
    delete the pgpsdk service from one machine, which would be a dandy
    target for a baddie to trojan, but I suspect it was fine since the
    same hijack has occurred again since. On my XP machine, Trojan Guarder
    had me to remove a MS PowerToy task switching utility, which was
    probably fine as well.

    My XP machine is pretty secure as far as I can tell - remote desktop,
    terminal services, and other potentially dangerous services are all
    disabled.

    The other possibility is that the router itself has been compromised.
    I've upgraded its firmware since the problem began. However, if I were
    cracking the router, I'd simply set it to route through my Gateway of
    Evil and steal passwords and info as it passed through, leaving the
    router to hand out it's IPs as always.

    For that matter, if a trojan is already inside the network, what would
    an attacker gain by changing all of the machines IP addresses? How the
    heck can these bypass the router anyway? And if I'm given a
    non-Comcast IP how does data get routed to me via Comcast?

    I'm a web designer/programmer, and over the years I've repaired and
    maintained 100+ windows PCs as a sideline to web work. This is by far
    the most baffling problem I've encountered, and ultra frustrating that
    it is in my own network, rather than found on an uneducated (ignorant)
    client's system.

    Sorry for such a long post, but the devil is in the details...

    Has anyone seen this behavior elsewhere? I googled and searched MS and
    elsewhere to find nothing.

    Can anyone recommend a better anti-trojan program that I can try free?
    How about a good windows network sniffer (again free if possible)?

    Suggestions and prayers most welcome. ;-)

    Thanks,
    Jim

  2. Re: Disturbing DHCP Situation

    Jim Luttgens wrote:
    > Hello Everybody,
    >
    > I've been having a strange, disturbing, bizarre DHCP situation on my
    > home network, and am at a loss as to what to do next...
    >
    > For a little over a week, about once or twice a day, my network gets
    > hijacked. My network connection gets dropped, and when DHCP renews I
    > get IP addresses different from my private 192.168.*.* addresses that
    > the router is supposed to serve.
    >
    > Background:
    > 4 Windows PCs - 3 Win98, 1 WinXP Home - service packs and patches up
    > to date, AVG Anti-virus on all, no strange programs found in task list
    > on any machine.
    > GigaFast EE400-R Router. Comcast cable connection on RCA cable modem.
    >
    > When the hijack starts, I am usually at one of the PCs and using
    > Internet Explorer. I haven't found a correlation as to a specific
    > trigger which starts the wierdness. The Win98 PCs simply lose
    > connectivity, XP complains that "A network cable is unplugged" then
    > eventually comes back with a radically different IP address - some
    > have been other addresses on the Comcast subnet, some from 68.87.*
    > which I have not been able to identify, other times as a 169.* or
    > different 192.168.* non-routable private subnet. The Gateway is also
    > set to a different public IP address. All of the addresses are
    > different each time - even if two machines have come back up under
    > these circumstances, the IP, Gateway, and DNS entries show no common
    > values.
    >
    > If I let it continue long enough, the router goes wonky, with each
    > column of lights flashing slowly in sequence.
    >
    > When hijacked, I can connect to the internet. One tracert to the
    > gateway IP I was assigned showed many hops with just * rather than IPs
    > or DNS names.
    >
    > Powering down the modem, router, and PCs and restarting returns me to
    > my expected configuration. The router is configured to not allow
    > management from the WAN, and has a strong password. After reboot, none
    > of the settings are changed from what I expect.
    >
    > I'm not running any servers or P2P clients. No warez, no downloaded
    > demos. I do frequently use RealPlayer on one machine, but it's been
    > months since this version was installed. I occasionally use AIM, but
    > it has never been running when the hijack occurs. Every now and then I
    > muse about the integrity of AVG Anti-virus, but I have used it for
    > years and have never had or heard of someone else having issue with it
    > being anything but a solid, free, AV scanner.
    >
    > I expect that I have a trojan somewhere that I've yet been unable to
    > uncover. I've downloaded and run a Trojan detector called Trojan
    > Guarder, which had high approval from other users on CNET. It had me
    > delete the pgpsdk service from one machine, which would be a dandy
    > target for a baddie to trojan, but I suspect it was fine since the
    > same hijack has occurred again since. On my XP machine, Trojan Guarder
    > had me to remove a MS PowerToy task switching utility, which was
    > probably fine as well.
    >
    > My XP machine is pretty secure as far as I can tell - remote desktop,
    > terminal services, and other potentially dangerous services are all
    > disabled.
    >
    > The other possibility is that the router itself has been compromised.
    > I've upgraded its firmware since the problem began. However, if I were
    > cracking the router, I'd simply set it to route through my Gateway of
    > Evil and steal passwords and info as it passed through, leaving the
    > router to hand out it's IPs as always.
    >
    > For that matter, if a trojan is already inside the network, what would
    > an attacker gain by changing all of the machines IP addresses? How the
    > heck can these bypass the router anyway? And if I'm given a
    > non-Comcast IP how does data get routed to me via Comcast?
    >
    > I'm a web designer/programmer, and over the years I've repaired and
    > maintained 100+ windows PCs as a sideline to web work. This is by far
    > the most baffling problem I've encountered, and ultra frustrating that
    > it is in my own network, rather than found on an uneducated (ignorant)
    > client's system.
    >
    > Sorry for such a long post, but the devil is in the details...
    >
    > Has anyone seen this behavior elsewhere? I googled and searched MS and
    > elsewhere to find nothing.
    >
    > Can anyone recommend a better anti-trojan program that I can try free?
    > How about a good windows network sniffer (again free if possible)?
    >
    > Suggestions and prayers most welcome. ;-)
    >
    > Thanks,
    > Jim

    I would think the most likely problem would be a bad router. I suppose
    there could be some strange trojan screwing with IP addresses, but that
    seems far less likely than just a bad router. Since powering down the
    router restores settings, suspect heat related failure of the router.

  3. Cool Re: Disturbing DHCP Situation

    if you do an nslookup in cmd 68.87.10.1 or what ever values you have for the last two octets... you'll see that it belongs to comcast which is obviously your cable modem provider and you're around the salt lake city utah area... the problem with cable modems is that service tends to drop off when there's a large influx of activity in the community that maybe set on the same network as you... it took my city awhile to overcome this problem before this issue was finally resolved... it comes with the development of the cable company highly doubt it's hacker related but you should make sure you have up to date security software anyways

+ Reply to Thread