Freaky peer-to-peer network problem

[Gregg Hill]

Hello!

I just inherited a three-workstation network (XP Pro) where they wanted
Internet access set up. Their ISP is AT&T and they gave them one DHCP IP
address (routable), so I installed a Netgear WGR614v8 (they wanted low-end)
router. I set the LAN subnet to 192.168.9.x to avoid conflict with anything
they may want to VPN into later.

So far, the subnet has changed in the router three times, all by itself, or
so it seems. The first time it did it, I thought the client had done it, and
he said that he had gotten into the router. So I reset everything and left
it, but it changed again about a week later. That time, I found that it had
UPnP turned on, and one of the workstations had the Internet Gateway service
(or something named similarly) and it appeared to be talking to the router's
UPnP to change the subnet. I removed that from the problem computer and
checked the other two systems, which did not have it. I turned off the UPnP
in the router.

Well, several days later, they called again, and this time the subnet had
changed to the 192.168.1.x network from my 192.168.9.x settings. So, I
rechecked all the systems and found one Dell with NWLink and SAP installed.
I removed all protocols from all computers except for TCP/IP, and I reset
the TCP/IP using "netsh int ip reset C:\reset.log" from a command prompt.

Two of the workstations are Dells with XP Pro SP2, and one is a Gateway with
pirated XP Pro and no SP. I have told them that they need to get it legal so
that I can install antivirus software. I used one of the other stations to
scan the pirated one and it found one virus-infected file, which it
quarantined.

Everything was fine for another week and a half, then today it reverted back
to the 10.0.0.x subnet.

I verified that UPnP is off in the router, and I checked for the previous
problems, but found nothing.

I cannot figure out what is causing the subnet to change!

I am going to replace the Netgear with another brand. No, I do not think the
router is the problem, but I am going to punt nonetheless.

Does anyone have any ideas? I Googled to see if I could find a virus that
could do what I see, but found nothing so far.

Thank you for your help!

Gregg Hill




--
----------------

DISCLAIMER WARNING: the information contained in any reply I make is merely
an OPINION, one that I hope you will consider when you make a choice as to
what you will do on your systems or network.

**No recommendation is to be implied by my OPINION.**

There, that should cover it!

 

[Chuck [MVP]]

Hello!

I just inherited a three-workstation network (XP Pro) where they wanted
Internet access set up. Their ISP is AT&T and they gave them one DHCP IP
address (routable), so I installed a Netgear WGR614v8 (they wanted low-end)
router. I set the LAN subnet to 192.168.9.x to avoid conflict with anything
they may want to VPN into later.

So far, the subnet has changed in the router three times, all by itself, or
so it seems. The first time it did it, I thought the client had done it, and
he said that he had gotten into the router. So I reset everything and left
it, but it changed again about a week later. That time, I found that it had
UPnP turned on, and one of the workstations had the Internet Gateway service
(or something named similarly) and it appeared to be talking to the router's
UPnP to change the subnet. I removed that from the problem computer and
checked the other two systems, which did not have it. I turned off the UPnP
in the router.

Well, several days later, they called again, and this time the subnet had
changed to the 192.168.1.x network from my 192.168.9.x settings. So, I
rechecked all the systems and found one Dell with NWLink and SAP installed.
I removed all protocols from all computers except for TCP/IP, and I reset
the TCP/IP using "netsh int ip reset C:\reset.log" from a command prompt.

Two of the workstations are Dells with XP Pro SP2, and one is a Gateway with
pirated XP Pro and no SP. I have told them that they need to get it legal so
that I can install antivirus software. I used one of the other stations to
scan the pirated one and it found one virus-infected file, which it
quarantined.

Everything was fine for another week and a half, then today it reverted back
to the 10.0.0.x subnet.

I verified that UPnP is off in the router, and I checked for the previous
problems, but found nothing.

I cannot figure out what is causing the subnet to change!

I am going to replace the Netgear with another brand. No, I do not think the
router is the problem, but I am going to punt nonetheless.

Does anyone have any ideas? I Googled to see if I could find a virus that
could do what I see, but found nothing so far.

Thank you for your help!

Gregg Hill

Gregg,

When this changes, is it the router settings that are actually changing? Or
could you have a rogue DHCP server on the LAN? Did you run "ipconfig /all" from
the clients?

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[smlunatick]

Hello!

I just inherited a three-workstation network (XP Pro) where they wanted
Internet access set up. Their ISP is AT&T and they gave them one DHCP IP
address (routable), so I installed a Netgear WGR614v8 (they wanted low-end)
router. I set the LAN subnet to 192.168.9.x to avoid conflict with anything
they may want to VPN into later.

So far, the subnet has changed in the router three times, all by itself, or
so it seems. The first time it did it, I thought the client had done it, and
he said that he had gotten into the router. So I reset everything and left
it, but it changed again about a week later. That time, I found that it had
UPnP turned on, and one of the workstations had the Internet Gateway service
(or something named similarly) and it appeared to be talking to the router's
UPnP to change the subnet. I removed that from the problem computer and
checked the other two systems, which did not have it. I turned off the UPnP
in the router.

Well, several days later, they called again, and this time the subnet had
changed to the 192.168.1.x network from my 192.168.9.x settings. So, I
rechecked all the systems and found one Dell with NWLink and SAP installed.
I removed all protocols from all computers except for TCP/IP, and I reset
the TCP/IP using "netsh int ip reset C:\reset.log" from a command prompt.

Two of the workstations are Dells with XP Pro SP2, and one is a Gateway with
pirated XP Pro and no SP. I have told them that they need to get it legal so
that I can install antivirus software. I used one of the other stations to
scan the pirated one and it found one virus-infected file, which it
quarantined.

Everything was fine for another week and a half, then today it reverted back
to the 10.0.0.x subnet.

I verified that UPnP is off in the router, and I checked for the previous
problems, but found nothing.

I cannot figure out what is causing the subnet to change!

I am going to replace the Netgear with another brand. No, I do not think the
router is the problem, but I am going to punt nonetheless.

Does anyone have any ideas? I Googled to see if I could find a virus that
could do what I see, but found nothing so far.

Thank you for your help!

Gregg Hill

Gregg,

When this changes, is it the router settings that are actually changing? Or
could you have a rogue DHCP server on the LAN? Did you run "ipconfig /all" from
the clients?

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.- Hide quoted text -

- Show quoted text -

I would make sure the first thing is to change the router's
administrator password and check the wireless network security
password(s). It sould like some is "hacking" into the router and
changing the configuration.


The other thing is to check for any router firmware updates and see if
this can address the problem.

 

[Gregg Hill]

To answer both you and Chuck, yes, the router's LAN IP settings are changed
and yes, I ran an "ipconfig /all" to see from where they got their new IP
addresses, and it was from the router each time this has happened.

The only things on the network are the three XP Pro workstations and one
HP7310 AIO printer, and to my knowledge, the printer is only a DHCP client,
not a DHCP server, so there can be no other DHCP server on the LAN unless
there is something hiding on a workstation. Even though the DHCP listed is
the router, I checked all three workstations anyway for DHCP server software
and found nothing obvious.

The router's admin password was changed after the second mystery IP change
and I always install the latest firmware before setting up the router, so it
had the latest firmware. It then feeds the new IP addresses to the three
workstations. In my original post, I neglected to mention that the wireless
portion of the router is turned off.

I went there yesterday and replaced the Netgear router with a Linksys, and
then set all the workstations and the HP7310 network printer with static IP
addresses. We shall see what happens

Gregg Hill

--
----------------

DISCLAIMER WARNING: the information contained in any reply I make is merely
an OPINION, one that I hope you will consider when you make a choice as to
what you will do on your systems or network.

**No recommendation is to be implied by my OPINION.**

There, that should cover it!

Hello!

I just inherited a three-workstation network (XP Pro) where they wanted
Internet access set up. Their ISP is AT&T and they gave them one DHCP IP
address (routable), so I installed a Netgear WGR614v8 (they wanted
low-end)
router. I set the LAN subnet to 192.168.9.x to avoid conflict with
anything
they may want to VPN into later.

So far, the subnet has changed in the router three times, all by itself,
or
so it seems. The first time it did it, I thought the client had done it,
and
he said that he had gotten into the router. So I reset everything and
left
it, but it changed again about a week later. That time, I found that it
had
UPnP turned on, and one of the workstations had the Internet Gateway
service
(or something named similarly) and it appeared to be talking to the
router's
UPnP to change the subnet. I removed that from the problem computer and
checked the other two systems, which did not have it. I turned off the
UPnP
in the router.

Well, several days later, they called again, and this time the subnet
had
changed to the 192.168.1.x network from my 192.168.9.x settings. So, I
rechecked all the systems and found one Dell with NWLink and SAP
installed.
I removed all protocols from all computers except for TCP/IP, and I
reset
the TCP/IP using "netsh int ip reset C:\reset.log" from a command
prompt.

Two of the workstations are Dells with XP Pro SP2, and one is a Gateway
with
pirated XP Pro and no SP. I have told them that they need to get it
legal so
that I can install antivirus software. I used one of the other stations
to
scan the pirated one and it found one virus-infected file, which it
quarantined.

Everything was fine for another week and a half, then today it reverted
back
to the 10.0.0.x subnet.

I verified that UPnP is off in the router, and I checked for the
previous
problems, but found nothing.

I cannot figure out what is causing the subnet to change!

I am going to replace the Netgear with another brand. No, I do not think
the
router is the problem, but I am going to punt nonetheless.

Does anyone have any ideas? I Googled to see if I could find a virus
that
could do what I see, but found nothing so far.

Thank you for your help!

Gregg Hill

Gregg,

When this changes, is it the router settings that are actually changing?
Or
could you have a rogue DHCP server on the LAN? Did you run "ipconfig
/all" from
the clients?

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows -
Networking]http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.- Hide quoted
text -

- Show quoted text -

I would make sure the first thing is to change the router's
administrator password and check the wireless network security
password(s). It sould like some is "hacking" into the router and
changing the configuration.


The other thing is to check for any router firmware updates and see if
this can address the problem.