Home All Groups Group Topic Archive Search About

Can malware change IP address on Windows XP machine

microsoft.public.windowsxp.network_web
Author
17 Nov 2006 7:12 PM
laxman
I have a network of seven Windows XP machines that all belong to the same
workgroup.  As such, their IP addresses are in the same range (ie. 168.0.0.1
through 168.0.0.254).  Several machines started dropping off the network
after an unauthorised user was allowed by one of the authorised users to use
her computer.

When I check the IP addresses of the machines that can no longer access the
network, they have been changed to be in the 168.0.1.1 through 168.0.1.254
range.  Obvioulsy, they will not talk to the other machines on the network.

Even though the unauthorised user was only on one mavhine in the network,
could they have executed any malware on the network that would cause the IP
addresses of other macines on the network to change?  If so, how can I stop
this from happening in the future?

Thanks!

Author
17 Nov 2006 7:35 PM
Steve Winograd [MVP]
In article <D0DF3272-AFDF-4EA1-84ED-67049265C***@microsoft.com>,
laxman <lax***@discussions.microsoft.com> wrote:
Show quoteHide quote
>I have a network of seven Windows XP machines that all belong to the same
>workgroup.  As such, their IP addresses are in the same range (ie. 168.0.0.1
>through 168.0.0.254).  Several machines started dropping off the network
>after an unauthorised user was allowed by one of the authorised users to use
>her computer.
>
>When I check the IP addresses of the machines that can no longer access the
>network, they have been changed to be in the 168.0.1.1 through 168.0.1.254
>range.  Obvioulsy, they will not talk to the other machines on the network.
>
>Even though the unauthorised user was only on one mavhine in the network,
>could they have executed any malware on the network that would cause the IP
>addresses of other macines on the network to change?  If so, how can I stop
>this from happening in the future?
>
>Thanks!

The IP addresses that you listed aren't valid for use on a local area
network, and using them could block access to some Internet sites..
Instead of starting with 168.0, they should start with 192.168.

I suspect that there's an unauthorized DHCP server running on the
network.  Some computers are getting their IP addresses from it, and
some are getting their IP addresses from the original, authorized DHCP
server.  See if someone has connected an unauthorized broadband router
to the network.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see.  I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
Author
20 Nov 2006 4:06 PM
laxman
Thank you for your help.  I actually quoted the wrong IPs.  They are in the
192.168.0 range.  However, several of them are in the 192.168.1 range.  I
have a router on the network and a wireless router on the network.  Could
both be acting as DHCP servers?  If so, how would I check.

Thank you!

Show quoteHide quote
"Steve Winograd [MVP]" wrote:

> In article <D0DF3272-AFDF-4EA1-84ED-67049265C***@microsoft.com>,
> laxman <lax***@discussions.microsoft.com> wrote:
> >I have a network of seven Windows XP machines that all belong to the same
> >workgroup.  As such, their IP addresses are in the same range (ie. 168.0.0.1
> >through 168.0.0.254).  Several machines started dropping off the network
> >after an unauthorised user was allowed by one of the authorised users to use
> >her computer.
> >
> >When I check the IP addresses of the machines that can no longer access the
> >network, they have been changed to be in the 168.0.1.1 through 168.0.1.254
> >range.  Obvioulsy, they will not talk to the other machines on the network.
> >
> >Even though the unauthorised user was only on one mavhine in the network,
> >could they have executed any malware on the network that would cause the IP
> >addresses of other macines on the network to change?  If so, how can I stop
> >this from happening in the future?
> >
> >Thanks!
>
> The IP addresses that you listed aren't valid for use on a local area
> network, and using them could block access to some Internet sites..
> Instead of starting with 168.0, they should start with 192.168.
>
> I suspect that there's an unauthorized DHCP server running on the
> network.  Some computers are getting their IP addresses from it, and
> some are getting their IP addresses from the original, authorized DHCP
> server.  See if someone has connected an unauthorized broadband router
> to the network.
> --
> Best Wishes,
> Steve Winograd, MS-MVP (Windows Networking)
>
> Please post any reply as a follow-up message in the news group
> for everyone to see.  I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>
Author
20 Nov 2006 5:20 PM
Malke
laxman wrote:

> Thank you for your help.  I actually quoted the wrong IPs.  They are
> in the
> 192.168.0 range.  However, several of them are in the 192.168.1 range.
>  I
> have a router on the network and a wireless router on the network.
> Could
> both be acting as DHCP servers?  If so, how would I check.

Yes, and that's probably what's causing the issue. You will need to
disable DHCP on one of the devices. Go into either one's configuration
to do this. Most routers are accessed by typing their IP address into a
browser's addressbar from a computer that is wired into one of the
router's lan ports. Refer to the router manual for details. If you no
longer have the manual, go to the router mftr.'s website and read the
manual there.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Author
20 Nov 2006 5:48 PM
Chuck
On Mon, 20 Nov 2006 08:06:01 -0800, laxman <lax***@discussions.microsoft.com>
wrote:

Show quoteHide quote
>"Steve Winograd [MVP]" wrote:
>
>> In article <D0DF3272-AFDF-4EA1-84ED-67049265C***@microsoft.com>,
>> laxman <lax***@discussions.microsoft.com> wrote:
>> >I have a network of seven Windows XP machines that all belong to the same
>> >workgroup.  As such, their IP addresses are in the same range (ie. 168.0.0.1
>> >through 168.0.0.254).  Several machines started dropping off the network
>> >after an unauthorised user was allowed by one of the authorised users to use
>> >her computer.
>> >
>> >When I check the IP addresses of the machines that can no longer access the
>> >network, they have been changed to be in the 168.0.1.1 through 168.0.1.254
>> >range.  Obvioulsy, they will not talk to the other machines on the network.
>> >
>> >Even though the unauthorised user was only on one mavhine in the network,
>> >could they have executed any malware on the network that would cause the IP
>> >addresses of other macines on the network to change?  If so, how can I stop
>> >this from happening in the future?
>> >
>> >Thanks!
>>
>> The IP addresses that you listed aren't valid for use on a local area
>> network, and using them could block access to some Internet sites..
>> Instead of starting with 168.0, they should start with 192.168.
>>
>> I suspect that there's an unauthorized DHCP server running on the
>> network.  Some computers are getting their IP addresses from it, and
>> some are getting their IP addresses from the original, authorized DHCP
>> server.  See if someone has connected an unauthorized broadband router
>> to the network.

>Thank you for your help.  I actually quoted the wrong IPs.  They are in the
>192.168.0 range.  However, several of them are in the 192.168.1 range.  I
>have a router on the network and a wireless router on the network.  Could
>both be acting as DHCP servers?  If so, how would I check.

Run "ipconfig /all" on each computer, and compare the output.
<http://nitecruzr.blogspot.com/2005/05/reading-ipconfig-and-diagnosing.html>
http://nitecruzr.blogspot.com/2005/05/reading-ipconfig-and-diagnosing.html

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My        email         is          AT         DOT
   actual       address    pchuck       mvps        org.
Author
20 Nov 2006 6:37 PM
Steve Winograd [MVP]
In article <AE63DFA7-D4B4-41F1-9091-8EE72D21C***@microsoft.com>,
laxman <lax***@discussions.microsoft.com> wrote:
Show quoteHide quote
>> >I have a network of seven Windows XP machines that all belong to the same
>> >workgroup.  As such, their IP addresses are in the same range (ie. 168.0.0.1
>> >through 168.0.0.254).  Several machines started dropping off the network
>> >after an unauthorised user was allowed by one of the authorised users to use
>> >her computer.
>> >
>> >When I check the IP addresses of the machines that can no longer access the
>> >network, they have been changed to be in the 168.0.1.1 through 168.0.1.254
>> >range.  Obvioulsy, they will not talk to the other machines on the network.
>> >
>> >Even though the unauthorised user was only on one mavhine in the network,
>> >could they have executed any malware on the network that would cause the IP
>> >addresses of other macines on the network to change?  If so, how can I stop
>> >this from happening in the future?
>> >
>> >Thanks!
>>
>> The IP addresses that you listed aren't valid for use on a local area
>> network, and using them could block access to some Internet sites..
>> Instead of starting with 168.0, they should start with 192.168.
>>
>> I suspect that there's an unauthorized DHCP server running on the
>> network.  Some computers are getting their IP addresses from it, and
>> some are getting their IP addresses from the original, authorized DHCP
>> server.  See if someone has connected an unauthorized broadband router
>> to the network.
>
>Thank you for your help.  I actually quoted the wrong IPs.  They are in the
>192.168.0 range.  However, several of them are in the 192.168.1 range.  I
>have a router on the network and a wireless router on the network.  Could
>both be acting as DHCP servers?  If so, how would I check.
>
>Thank you!

You're welcome!

Both routers are acting as DHCP servers, so the computers are getting
addresses in two different, incompatible IP address ranges.

Do you need both routers?  If possible, remove the first router and
use only the wireless router.

That might not be possible.  For example, the wireless router might
not have enough Ethernet ports, by itself, for all of the computers
that need wired connections.  In that case, configure the wireless
router as a wireless access point and network switch, disabling its
routing capability:

1. Disable the wireless router's built-in DHCP server.

2. Change its LAN IP address to a value in the 192.168.0.x range, but
outside the pool of addresses assigned by the first router's DHCP
server.  For example, if the first router assigns
192.168.0.2-192.168.0.100, use 192.168.0.254.

3. Connect the first router to a LAN port on the wireless router.
Don't connect anything to the WAN (Internet) port on the wireless
router.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see.  I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com



Post Other interesting topics
LAN with MAC and PC
home networking
Residential Network
[beginner] Connecting XP into 2 LAN
ICS Problem
Network Novice needs alot of help with win98 and xp setup.
Event ID 5719 NETLOGON
shutting down my network
download program to network
XP machine can't see network