Date: Wed, 4 Jul 2001 18:22:22 +0200
Subject: the DHCP disruption !
From: Cyrille Chepelov <chepelov@calixo.net>
This happened during the LSM/RMLL event, in Bordeaux, France ; at about 17:00 (UTC+2), on july fourth, an unplanned backup DHCP server went online at, and begun serving, well, data which wasn't that related to the primary DHCP server's.
So, at first, when it was clear something wrong was happening, people handled it the gentle way, and went asking for people with a DHCP server. No-one who actually checked found a server on his machine.... One guesstimate was floated: maybe it was a Mandrake l^Huser ?
So, the hunt intensified; several people were using the usual tools (telnet on port 79 (finger), nmap; flood pings on the suspect's IP address to find his machine by the "methodical unplug" method. To no avail.
Finally, an nmap on the suspect machine turned in that a few servers were running: a CUPS server, a kdm, and sunrpc. Still, no DHCP server, at least according to nmap. So, one of the laptops was enslaved to that machine's KDM server, to find more clues. It turned out there were two visible logins on that machine: "guest", and "toto" [I've censored his actual login name, I don't really want him to be fired ! So, let's call him toto]. Expert witnesses could sense a Mandrake signature, given the way it was configured and the servers it was running.
So, "toto" was called, and his laptop's logs inspected. Not only the dhcpd server was found running, but its log proved that it did serve rubbish configuration data to several machines... Guess what: the laptop's owner was not only a Mandrake user, but also a Mandrake employee !
-- Cyrille