Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, June 26, 2009 10:02 PM | 1 vote
Is there a way to check my DHCP server logs for the recent scope information that has been passed to clients? I believe there was a misconfiguration of scope options on my server and want to check if information passed to clients earlier today can confirm that.
Specs:
Server 2003 Std SP2
DHCP authorized in domain
Services have been running for months without issue
All replies (4)
Saturday, June 27, 2009 8:51 PM
Not sure if this is what you are looking for but,
By default, the log files for the DHCP server are stored here: %SystemRoot%\System32\dhcp.
They should be named something like: "DhcpSrvLog-DAY.log".
Good luck.
Sunday, June 28, 2009 11:32 AM
Hello,
not sure if that information is logged, but if you're clients get problems they just have to reboot or run ipconfig /release ipconfig /renew to get the latest and now correct information from the server.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
Monday, June 29, 2009 1:59 PM
Thanks guys.
Interestingly my problem stemmed from a DHCP scope that was working properly for months and all of a sudden started handing out DNS and DHCP server address information to my clients that I did not recognize. Specifically, the scope would pass out correct IP addresses, but incorrect DNS server and DHCP server settings. I could find no trace of the DNS and DHCP server information it was sending out in the DHCP server anywhere. The scope was configured properly but sure enough my clients were mis-configured.
I went through processes to determine that a rogue DHCP server wasn't on the network, but found nothing. A restart of my DHCP server service fixed the issue but I'm curious why the DHCP server was passing out the information it was. I did not recognize the information it was passing out (except for the IP addresses).
I made sure my AV dats were up to date and ran a scan, which returned no suspicious files.
I'm up and running now but this is too weird to not look into...
Wednesday, July 1, 2009 3:02 PM
I found the cause of my DHCP issue and wanted to post for all to see.
The cause of my bogus DHCP information was in fact a rogue DHCP server setup on my network.
I was able to pinpoint the offending workstation down to a Dell laptop running Vista SP1.
Although I am unsure what speficic trojan was the cause, various DNSChanger trojans outlined here:
http://www.lancs.ac.uk/iss/a-virus/index.php?page=ssi-outbreak.htm
http://blog.trendmicro.com/dns-changer-malware-evolves-again/
http://blog.trendmicro.com/top-8-in-08/
http://news.softpedia.com/news/DNS-Changing-Malware-Employs-New-Technique-99392.shtml
http://www.avertlabs.com/research/blog/index.php/2008/12/04/dnschanger-trojans-v40/
fit the bill perfectly.
I am going to reimage the machine before allowing it back on the network.
Thanks.
Jeff