Thursday, December 20, 2007


The other day a user came to me and said she had an IP Address conflict warning on her computer. That is really weird since I hadn’t cleared the DHCP server cache lately so there should be no conflicts on my network at all. I went over and sure enough she had reported the error correctly. I did a quick ipconfig release and renew and watched what happened next. Within a minute she received the error again. Hmmmm, I thought, something is going on here.

I set the user to use a manually configured IP in a space I knew was free on my network and went to work sleuthing.

We had recently installed a device we are testing called the Cymphonix network composer. It’s basically a really fancy proxy server that sits in line between your LAN and your firewall. It sniffs all the traffic on the switch and builds a database of devices that allow the administrator to create rules for Internet access for different users and systems.

This was a good time to see what it had learned over the last few days. Armed with the MAC address from the event log on the users system I looked for any reference to this device in my composer database. *ping sound* There it was, and even more interesting it had a service port open. Port 21, that is FTP. Nice.

I opened an FTP client to the port and got a login prompt. I tried several of the more common username and passwords and got nowhere. Hmmmm, I thought, time to dig deeper. Examining the login prompt I noticed something that looked like a LinkSys product ID. A quick Google search revealed that this device was most likely a LinkSys wireless router. I peeked over on my Available Wireless networks and sure enough – there is a brand new Linksys wireless network visible. Unfortunately it was secured so I couldn’t log in to gain any more information.

Next step was to block it at the firewall. Using its MAC address I was able to block any and all packets to and from that device right at my border. That secured my network and would cause trouble for anyone connecting to the device wirelessly – at least as far as accessing the rest of the world.

Step the third, try and find the beast. I got on the switches and started looking in the tables there for a MAC address and a port number combination. I soon learned that the MAC address was coming from one of the ports on the second floor. We had recently sub-let almost the entire second floor to others but I had been lazy and not disconnected all the patch cords from the second floor hub. Grabbing the key I trundled downstairs to the switch closet and removed and coiled all the cords between my switch and offices I was no longer responsible for.

Back upstairs in my office I checked again for the offending FTP server… it was no longer on the network. YAY! I reset the user and all was good.

Lesson to learn here though is remove the physical access from unneeded ports. If this device had been configured properly so that it didn’t conflict with one of my users it would have taken ages for me to notice its presence, allowing whoever set it up to use our internet connection at will.

I’m not sure if it’s a rogue device or a rouge device because I’m not as smart as Roy (Ugh, which is a reference to one of the Order of the Stick (which I have written about before) comics but it's a print only one so I can't link to it but here is a link to todays comic), but I promise that if I ever find it I’ll put some red on its cheeks so that it’s both.

No comments:

Site Meter