Suspense: the mystery of accidental exploitation of server addresses

In general, the server system has a fixed IP address, which can ensure that it can always run stably and efficiently, even if other computers in the LAN use the fixed IP address, the running status of the server system will not be affected, because the allocation and use of IP addresses often follow the principle of "first-in-first-out", that is, after the server host is pre-allocated with a fixed address, other users cannot access the Internet even if they have used this address. However, in my practice of managing servers, I happened to encounter an accidental exploitation of the server host address, which directly caused the failure of the server system to work normally, why? How can we solve this strange fault?

Address theft caused by accidental power outages

My company has set up a web server in the LAN. Employees of the Organization can learn about some major activity reports and task plans in a timely manner through web access, moreover, the network access speed is fast. Recently, I don't know what's going on. After an accidental power outage, employees reported that the Web servers in the LAN could not be accessed normally. After receiving the "request for assistance" call, I immediately rushed to the server host site and checked the startup status of the server system carefully. I found that the server system was restarted successfully. After logging on to the server desktop as a system administrator, I found that the host address was accidentally snatched on the System screen. I was very surprised to see this error prompt, because the IP address used by the target Web server in the LAN is relatively fixed, and the IP address has been excluded from the dynamic address setting range by the DHCP server. Now, an accidental power failure has resulted in an accidental use of the IP address of the server host. Is this the IP address of the web server that someone has already taken a fancy?

To find out which computer in the LAN is using the IP address used by the target Web server, I randomly find a Windows XP Computer System from the LAN, open the "Start" menu on the system desktop, click the "run" command, and execute the "cmd" string command in the system run text box that appears later, switch the system status from the Windows interface to the doscommand line status, and then enter the "nbtstat-A 192.168.1.143" string command at the command line prompt, the "192.168.1.143" address is the fixed IP address assigned by the network administrator to the target Web server host. After you click the Enter key, from the execution results of the above command, I found the physical address of the computer NIC that grabbed the address of the target Web server on the LAN. After finding this physical address, I can use a tool similar to the MAC address scanner to find out which computer grabbed the address of the target Web server.

Here, I "invited" lanhelper's professional tool to perform a comprehensive scanning of the LAN of the entire organization. After scanning, I found the device with the corresponding physical address, it is not a common computer, but a shared printer of the hp5000 model. I quickly checked the previous device record filing by the organization's network administrator and learned that the IP address used by the hp5000 shared printer should be 192.168.1.144. How has it suddenly changed to 192.168.1.143, is it because a shared printer secretly steals the address of the target Web server in the event of an unexpected power failure, or a "illegal" in the LAN secretly modifies the IP address of the shared printer with the hp5000 model?

Address snatching

In order to crack the Communications Administration and find a solution to the problem, I plan to enter the attribute settings window of the shared printer to see if the IP address used by the hp5000 shared printer is 192.168.1.143. During this check, I click the "Start"/"set"/"printer and fax" command in sequence to display the local printer list interface, find the target shared printer icon and right-click the icon. Then, right-click the icon and choose "properties" from the shortcut menu to go to the target shared printer attribute settings page. Click the "Port" tab on the property settings page to go to the printer connection port list page, select the print connection port used by the shared printer, and click the "Configure port" button, at this time, we will see the print connection port setting window shown in 1 on the screen. Here I can clearly see that the IP address used by the target shared printer is 192.168.1.143, this indicates that the IP address used by the target Web server on the LAN has been "snatched" by the shared printer.

If a power outage occurs, the printer sharing skills can be reached, and you cannot directly "snatch" the target Web server host to get a fixed IP address that has been in use for a long time; even if a shared printer is enabled successfully on the target Web server host when a new call is made, the server address will not be illegally occupied, the most common fault is that the target Web server host cannot be found from the LAN, because the IP address is accidentally lost, that is to say, the server's internet configuration information is not successfully saved due to a sudden power failure.

Therefore, I guess that the target Web server on the LAN is probably a dummies. From a technical point of view, network administrators can usually assign IP addresses to important network devices in the LAN in two ways, one is to manually assign a fixed IP address to the network device, and the other is to set up a DHCP server in the LAN to automatically assign Dynamic IP addresses to the network device. Although DHCP servers exist in the LAN, the network administrator has previously excluded the fixed IP addresses used by the target Web server host from the DHCP server address pool, therefore, the failure of the IP address of the target Web server being used by the shared printer makes it amazing.

Go deep into finding an address to grab a token

The sudden failure of the target Web server affects the normal work of the organization's employees. The Organization's leadership asked the author to find a way to let the server work normally first, and then find out the specific cause of the failure, I had to go to the attribute settings window of the target shared printer, forcibly set its IP address to "192.168.1.144", and then open the TCP/IP attribute settings window of the target Web server, in this example, the IP address is restored to the previously used "192.168.1.143", and the target Web server system is restarted. At this time, the working status of the server is immediately restored.

At this point, although the target Web server host can work normally, I have not found the reason for using its IP address, therefore, the following work is to continue to find the reason for the real change in the IP address of the shared printer. So far, the author has always believed that the shared printer has no "skill" to use the IP address ", it is just a passive receiver and is assigned to the device that shares the printer address. That is to say, who is the network device that supports DHCP?

The DHCP server address pool in the LAN does not have the "192.168.1.143" address used by the target Web server. Is there another network device in the LAN that supports the DHCP service? The following troubleshooting is very simple. I first temporarily disabled the DHCP server running on the LAN, and randomly found a computer installed with Windows XP from the LAN, click Start, set, and network connection commands on the system desktop. In the displayed network connection List window, right-click the target local connection icon, run the "properties" command in the shortcut menu to open the attribute setting interface of the target local connection, and select the "Internet Protocol (TCP/IP)" option, at the same time, click the "properties" button to enter the TCP/IP Properties window shown in 2, and select the "automatically get IP Address" option in the Properties window, click OK to save the settings. It is reasonable to say that when the DHCP server in the LAN is disabled, this computer that uses the automatic IP address acquisition method cannot access the Internet. However, this is incredible, when the lan dhcp server is disabled, the computer can still access the LAN normally, which means there are other DHCP servers in the LAN at this moment, perhaps it is this concealed DHCP server that secretly provides Address Allocation services for shared printers.

To find out which network device has enabled the DHCP service function in the LAN, I click "start"/"run" command in the computer to open the system running text box, enter the "cmd" command, click the Enter key, switch the System screen to the doscommand line window, and then execute the "ipconfig/all" string command at the command line prompt, from the command execution results returned later, I found that another network device with the IP address 192.168.1.16 is providing the DHCP service to the LAN, it seems that the network device that secretly enables the DHCP service is actually a "Sin!" that causes the server IP address to be illegally used ". I quickly checked the previous Network Address Record Filing allocation table and saw that the network device with the IP address "192.168.1.16" turned out to be a shared print server in the LAN.

After finding the shared print server and opening its property Setting dialog box, the author carefully checks the setting parameters. When the content on the "DHCP cfg" option setting page is checked, I can see that the shared Print Server supports the DHCP service function, and the DHCP service function is automatically enabled by default, it seems that the IP address of the target Web server is suddenly occupied by this shared print server. After finding the specific cause of failure, on the "DHCP cfg" option settings page of the shared print server, I adjusted the default DHCP function to "Disable", and then click "OK" to save the settings, sure enough, the ordinary computer used for testing cannot access the lan network normally, this just shows that the built-in DHCP function in the shared Print Server previously provided Address Allocation services for common computers in the LAN.

Conclusion

After reviewing the troubleshooting process, I believe that when a sudden power failure occurs in the LAN, the IP address configured for the hp5000 shared printer may be lost, after the power supply is restored to normal, the shared printer that has not disabled the power supply starts up first. After the power supply is started successfully, a request for an address is sent to the LAN immediately, at that time, the DHCP server in the LAN was not started successfully, so the DHCP function in the shared printer played a role, secretly assigned a dynamic IP address to the hp5000 shared printer, the allocated address is exactly the "192.168.1.143" address used by the target Web server host. Therefore, when the web server system restarts successfully, a fault occurs when the address is illegally occupied, at this time, the web server will naturally not work normally!

Click here to view the original text