Hacked? IP address changes in Event Log?

I've got a problem where brand new (and not on our network)
secondary IP addresses and gateways have suddenly showed up
on a Windows 2003 Server. It's not on the Internet, but on
a private network that does have web access via http proxy
to the outside world. I suspect I've either been hacked via
a workstation trojan somewhere on the internal network or
one of my co-workers is clandestinely sabotaging this machine.

Do system IP address changes show up in the Event Log to
see who did them, and from where? And if so, how do I look
for them?

Is it set to DHCP? Are you seeing a 169.x.x.x. address?

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

"worrywart" <(E-Mail Removed)> wrote in message
news:b9c401c4799c$98313fc0$(E-Mail Removed)...
> I've got a problem where brand new (and not on our network)
> secondary IP addresses and gateways have suddenly showed up
> on a Windows 2003 Server. It's not on the Internet, but on
> a private network that does have web access via http proxy
> to the outside world. I suspect I've either been hacked via
> a workstation trojan somewhere on the internal network or
> one of my co-workers is clandestinely sabotaging this machine.
>
> Do system IP address changes show up in the Event Log to
> see who did them, and from where? And if so, how do I look
> for them?

Even if I "hacked a machine silly" there would never be any point in adding
a secondary address to the thing,...especially if it was on a different
subnet. Short of VLANs, all IP#s on a nic must all be from the same
subnet,....any number that isn't in the same subnet would be worthless.

Most likely someone with physical access to the machine who either wasn't
paying attention to what they were doing, or didn't know what they were
doing has added that number manually.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"worrywart" <(E-Mail Removed)> wrote in message
news:b9c401c4799c$98313fc0$(E-Mail Removed)...
> I've got a problem where brand new (and not on our network)
> secondary IP addresses and gateways have suddenly showed up
> on a Windows 2003 Server. It's not on the Internet, but on
> a private network that does have web access via http proxy
> to the outside world. I suspect I've either been hacked via
> a workstation trojan somewhere on the internal network or
> one of my co-workers is clandestinely sabotaging this machine.
>
> Do system IP address changes show up in the Event Log to
> see who did them, and from where? And if so, how do I look
> for them?

No, we never use DHCP, all IP addrs in our organization
must be fixed, and set manually, by our internal
administrative policies.

Is there something special about a 169.x.x.x address that
we should know about?

BTW, I did find out that a co-worker that had physical
access to the machine was indeed monkeying around with the
network configs without my permission, but my PHB gave him
the Admin password and let him mess with the server behind
my back. (Grrrrr) That problem has been fixed with a new
staff policy this morning.

>-----Original Message-----
>Is it set to DHCP? Are you seeing a 169.x.x.x. address?
>
>--
>Scott Harding
>MCSE, MCSA, A+, Network+
>Microsoft MVP - Windows NT Server

So I guess the answer must be 'NO'. The event log doesn't
track who changed the network configs when and from where???

Then all I can say is what a huge gaping oversight in lack
of security design that presents. You'd think that
tracking/auditing any changes in the network configs should
be deemed absolutely crucial to minimal fundamental system
security.

<(E-Mail Removed)> wrote in message
news:c3ea01c47a36$a9de3030$(E-Mail Removed)...
> So I guess the answer must be 'NO'. The event log doesn't
> track who changed the network configs when and from where???
>
> Then all I can say is what a huge gaping oversight in lack
> of security design that presents. You'd think that
> tracking/auditing any changes in the network configs should
> be deemed absolutely crucial to minimal fundamental system
> security.

No,.... with minimal fundemental security it wouldn't have happen to begin
with. Minimal fundemental security includes keeping servers in a locked
room and not letting anyone else know the admin credentials. As I indicated
in my other post,..I think this was done by someone who didn't know what
they were doing by physically sitting at the machine itself and doing it
manually.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The 169 address space is reserver for AIPA. Automatic Ip addressing. If a
machine is set to DHCP but cannot locate a DHCP server it will assign itself
a 169. something address.

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> <(E-Mail Removed)> wrote in message
> news:c3ea01c47a36$a9de3030$(E-Mail Removed)...
> > So I guess the answer must be 'NO'. The event log doesn't
> > track who changed the network configs when and from where???
> >
> > Then all I can say is what a huge gaping oversight in lack
> > of security design that presents. You'd think that
> > tracking/auditing any changes in the network configs should
> > be deemed absolutely crucial to minimal fundamental system
> > security.
>
> No,.... with minimal fundemental security it wouldn't have happen to begin
> with. Minimal fundemental security includes keeping servers in a locked
> room and not letting anyone else know the admin credentials. As I
indicated
> in my other post,..I think this was done by someone who didn't know what
> they were doing by physically sitting at the machine itself and doing it
> manually.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

"Scott Harding - MS MVP" <scrockel@**NO_SPAM**hotmail.com> wrote in message
news:(E-Mail Removed)...
> The 169 address space is reserver for AIPA. Automatic Ip addressing. If a
> machine is set to DHCP but cannot locate a DHCP server it will assign
itself
> a 169. something address.

Ok. I didn't see the post where he indicated that address till after. But in
the first post it was called a secondary address. Maybe the terminology was
just used loosely, but an actual real "secondary address" cannot come from
DHCP (or even attempt to, then fail and get a 169.* address) to my
knowledge. Only a primary address can come from DHCP. Isn't that the case?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

On Wed, 4 Aug 2004 09:21:54 -0700, Scott Harding - MS MVP
<scrockel@**NO_SPAM**hotmail.com> wrote:

> The 169 address space is reserver for AIPA. Automatic Ip addressing. If a
> machine is set to DHCP but cannot locate a DHCP server it will assign
> itself a 169. something address.

Minor correction. 169.254.0.0/16 is reserved for APIPA, not 169.0.0.0/8.
At least this is what all my Microsoft documentation states.

--
Ole Kristian Bangås
http://www.bangaas.com/

"Phillip Windell" wrote in message
news:(E-Mail Removed)...
:
: "Scott Harding - MS MVP" <scrockel@**NO_SPAM**hotmail.com> wrote in
message
: news:(E-Mail Removed)...
: > The 169 address space is reserver for AIPA. Automatic Ip addressing. If
a
: > machine is set to DHCP but cannot locate a DHCP server it will assign
: itself
: > a 169. something address.
:
: Ok. I didn't see the post where he indicated that address till after. But
in
: the first post it was called a secondary address. Maybe the terminology
was
: just used loosely, but an actual real "secondary address" cannot come from
: DHCP (or even attempt to, then fail and get a 169.* address) to my
: knowledge. Only a primary address can come from DHCP. Isn't that the case?

Correct. You cannot have a static IP address and also tell your client to
use DHCP to grab and use as a secondary address an address from a DHCP pool.

The security model is flawed and is the source of the issue here. I also do
not see the need of a policy meeting when a swift kick to the knee will
reinforce the current policy.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/service...p?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default...b;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default...b;EN-US;291382