Strange problem

Discuss Networking
Post Reply
worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Strange problem

Post by worker201 »

I have a Slackware 10 box running ProFTPd (which Void helped me set up), which I use as an ftp server at work. I hadn't used it in a while, and just the other day, I tried to connect in, and was refused. Using ifconfig, I was able to determine that somehow the IP address and subnet mask were totally wrong. After restoring the correct values, I was able to connect normally.

Our department's IT guy thinks that probably someone stole my IP address. Since we have a shortage of IP addresses at our domain, people are constantly stealing them for their personal laptops that they bring to work. Probably someone did a scan, and saw that my address was idle, a perfect candidate for theft. But here's where it gets dicey. IT guy thinks that when the machine was called for, and noticed that its IP address was gone, it rolled over to DHCP, and tried to get an address that way. We don't use DHCP here now, but we plan to add a central DHCP server in the future. But some people have their own little internal networks that use DHCP, which IT guy calls "rogue DHCP clients". Presumably, that was the DHCP my computer found, because the subnet mask was inappropriate for our network, but might have been appropriate for a sub-network. Thus, my ftp program, which resolved 'slackbox.tamu.edu' into the IP address, was unable to gain ftp access.

I guess this is the sort of thing that happens in this kind of environment. Geography, oceanography and meteorology share the building, and each has its own IT people. We're allowed to do pretty much whatever we want, and some IP addresses have been dormant for years, as computers have been scrapped and replaced. It would make a lot more sense to have IP addresses assigned by office, and have the IT guys pool their resources. A little $50 hub in each room would make people share IP addresses, saving our precious IP resources for machines that need their own address, like web servers and file servers.

Anyway, here is my question:
What do you think of IT guy's opinion? Is that what happened? Will Slackware go looking for a DHCP server if its address is stolen? How can I prevent anyone from stealing my address?

Thanks in advance.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I'm not quite sure what you mean by "stealing your IP address" because there really isn't such a thing. An IP address is not something that can be "stolen". You assign an IP address to your network interface. If you do it via a static configuration the *only* way it can be changed is if you change your configuration file so that when networking starts the "ifconfig" command will assign the address to your network interface that you told it to (or you assign directly using the ifconfig command).

If you have your machine configured to use DHCP to configure your network interface then yes, any machine on your local LAN that has a DHCP server running when you start your networking could assign an address in whatever range the DHCP server is configured to serve. It could be something as simple as someone plugging in a LinkSys router and forgetting to turn off DHCP. But your machine would have to be configured to use DHCP (using pump, dhcpcd, dhclient, etc).

It would be easy to tell if you have a DHCP server on your local network. Just configure your interface to use DHCP and see if you can get a DHCP assigned address. If you do you should see DHCP messages in your system log indicating the address of the DHCP server that gave you your IP configuration.

If you have your machine configured with a static address and someone else on your LAN brings their machine up with the same address that you have assigned there will be network problems but your machine will not automatically assign itself a different address. If you really have your machine configured with a static address then if your address changed then someone had to change it. What was the address that it was changed to by the way? That might give a clue.

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

Void Main wrote:If you have your machine configured with a static address and someone else on your LAN brings their machine up with the same address that you have assigned there will be network problems but your machine will not automatically assign itself a different address. If you really have your machine configured with a static address then if your address changed then someone had to change it. What was the address that it was changed to by the way? That might give a clue.
This is exactly what I mean by "stealing" my IP address. I didn't write down the new address, but I do remember that it was subnet mask 255.255.255.0. We use 252.0, and I noticed that right away. I did not ever ask my computer to use DHCP, but I never expressly forbade it to either. Is it necessary to explicitly deny DHCP? What exactly would happen if someone brought up their computer with my IP address? How would Slackware deal with the conflict?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

worker201 wrote:
Void Main wrote:If you have your machine configured with a static address and someone else on your LAN brings their machine up with the same address that you have assigned there will be network problems but your machine will not automatically assign itself a different address. If you really have your machine configured with a static address then if your address changed then someone had to change it. What was the address that it was changed to by the way? That might give a clue.
This is exactly what I mean by "stealing" my IP address. I didn't write down the new address, but I do remember that it was subnet mask 255.255.255.0. We use 252.0, and I noticed that right away. I did not ever ask my computer to use DHCP, but I never expressly forbade it to either. Is it necessary to explicitly deny DHCP? What exactly would happen if someone brought up their computer with my IP address? How would Slackware deal with the conflict?
It would be no different than if someone on your street put your mailing address on their mailbox. The postman would get confused. He might deliver your mail to the other person, he might deliver your mail to you or he might just keep the mail in his mail bag. There is nothing magical about it. You either configure your machine with a static address or you configure it to use DHCP. If you configured it with a static address like you said then someone had to physically log on to your machine and reconfigure it. Your machine doesn't "know" that someone else on your LAN has configured their machine with your address. That's why I say "stealing" an address really isn't a term that fits. You can't steal an address. If more than one machine is configured with the same address neither one of them will work properly and both users will surely notice a problem very quickly. It's not uncommon for this to happen if A) the network people don't know what they are doing or B) a user is messing around with their configuration and don't know what they are doing or C) a user intentionally configures their machine with your address in hopes of trying to get "some of your mail".

If you have your machine configured with DHCP (which you said you didn't) then yes, if someone brings up a rogue DHCP server on your network and it answers your DHCP request for an IP address before your intended DHCP server does then you will get an address from that rogue DHCP server. If you have your machine configured to use DHCP and you don't have a DHCP server and you also manually assign an address then yes I could see how this scenerio could happen. This is not easily done on most distros though and I am not familiar with Slackware. I can tell you that in order for this to happen then one of the DHCP client daemons would have to be running. Look through your process list for either the command "pump", "dhcpcd", or "dhclient". If one of those are running then you got a DHCP address from some rogue DHCP server. You should also have a DHCP configuration file probably in the /var/lib/dhcp directory. If one of those commands are not running then someone had to have logged into your machine and reconfigured it. You normally use static configurations on servers so a rogue DHCP can't change things.

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

By looking at the proftpd transfer log, I can say with some degree of certainty that the problem occured between Oct 4 and Oct 11. Oct 4 was the last time I used ftp before the address change. Oct 11 is when the address was switched back, and ftp was used again. Which log files can tell me who was logged on/off the computer during that time? Newb question, I know. :oops: This problem, which no one seems able to explain, is kinda making me paranoid about my security. I gave Slackware my IP address, subnet mask, DNS, and domain name. I specifically configured it as a static IP address, and this address has been officially assigned to that computer by the university. No one but me has a root or user password to the machine, and anonymous ftp users are jailed in /usr/local/ftp, and only have upload/download access to the public folder.

Sorry if this seems trivial or confusing, but security is really important to me. Not because I am afraid that someone will steal my data - anyone is welcome to download anything they like. More because I feel violated when my security has been breached, as if someone unclean was here, messing around. Any help or assistance that you can provide is very appreciated.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Do you have any of the 3 programs running that I asked about? I would be interested in seeing the output of this command:

Code: Select all

ps auxwww
All of your logs should be in /var/log. Do you have a /var/lib/dhcp directory? If so does it have any files in it that have at timestamp at least as recent and when you last logged in prior to the incident?

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

ps auxwww wrote:USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 480 240 ? S Oct11 0:04 init [3]
root 2 0.0 0.0 0 0 ? S Oct11 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SN Oct11 0:00 [ksoftirqd_CPU0]
root 4 0.0 0.0 0 0 ? S Oct11 0:00 [kswapd]
root 5 0.0 0.0 0 0 ? S Oct11 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? S Oct11 0:00 [kupdated]
root 10 0.0 0.0 0 0 ? S< Oct11 0:00 [mdrecoveryd]
root 11 0.0 0.0 0 0 ? S Oct11 0:00 [kreiserfsd]
root 60 0.0 0.2 1404 592 ? Ss Oct11 0:00 /usr/sbin/syslogd
root 63 0.0 0.1 1344 448 ? Ss Oct11 0:00 /usr/sbin/klogd -c 3 -x
root 209 0.0 0.0 0 0 ? S Oct11 0:00 [khubd]
root 606 0.0 0.2 1380 528 ? Ss Oct11 0:00 /usr/sbin/inetd
root 609 0.0 0.5 3140 1408 ? Ss Oct11 0:00 /usr/sbin/sshd
root 613 0.0 0.8 4392 2220 ? Ss Oct11 0:00 /usr/sbin/named
root 624 0.0 0.2 1460 564 ? S Oct11 0:00 /usr/sbin/crond -l10
root 635 0.0 0.6 3668 1708 ? Ss Oct11 0:00 /usr/sbin/httpd
root 637 0.0 0.1 1384 456 ? Ss Oct11 0:00 /usr/sbin/gpm -m /dev/mouse -t ps2
lholcom 639 0.0 0.5 2636 1536 tty1 Ss Oct11 0:00 -bash
root 640 0.0 0.1 1336 468 tty2 Ss+ Oct11 0:00 /sbin/agetty 38400 tty2 linux
root 641 0.0 0.1 1336 468 tty3 Ss+ Oct11 0:00 /sbin/agetty 38400 tty3 linux
root 642 0.0 0.1 1336 468 tty4 Ss+ Oct11 0:00 /sbin/agetty 38400 tty4 linux
root 643 0.0 0.1 1336 468 tty5 Ss+ Oct11 0:00 /sbin/agetty 38400 tty5 linux
root 644 0.0 0.1 1336 468 tty6 Ss+ Oct11 0:00 /sbin/agetty 38400 tty6 linux
nobody 645 0.0 0.6 3692 1712 ? S Oct11 0:00 /usr/sbin/httpd
nobody 646 0.0 0.6 3692 1712 ? S Oct11 0:00 /usr/sbin/httpd
nobody 647 0.0 0.6 3692 1712 ? S Oct11 0:00 /usr/sbin/httpd
nobody 648 0.0 0.6 3692 1712 ? S Oct11 0:00 /usr/sbin/httpd
nobody 649 0.0 0.6 3692 1712 ? S Oct11 0:00 /usr/sbin/httpd
lholcom 2588 0.0 0.3 2276 792 tty1 R+ 18:23 0:00 ps auxwww
I do not have a directory /var/lib/dhcp.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You don't have any DHCP client daemons running so there is no way that it was reconfigured via DHCP. After configuring your machine with a static address had you ever rebooted the machine? The reason I ask is I am wondering if you might have configured the address manually using the "ifconfig" command but never put the proper IP configuration in your startup files. Then if the machine had been rebooted (power failure, etc) the machine could have came up with whatever might have been in an example file. Check your uptime ("uptime" command) and see if the machine was rebooted in within the time period in question. If you know you had it configured right and it comes up with the proper configuration after a reboot then someone had to have manually changed the address either at the console or from an ssh login or through an exploited vulnerability. Do you keep your system up to date? Look at your logs closely for the time period in question for anything out of the ordinary (failed login attempts, etc). You might also look through your /root/.bash_history file and see if there are any commands performed by root that related to your IP configuration (as long as they don't roll off, make a copy of that file to keep as much as you can).

Post Reply