Rogue DHCP Server

I finally found a resolution to a rogue DHCP server on a customer’s network. Randomly starting after an SBS migration the customer would start having network problems. I quickly found that another DHCP server was giving out 192.168.2.0/24   IP addresses with itself as the Gateway. The proper network is a 192.168.1.0/24 with a SonicWall as the gateway. This of course caused the kind and generous Microsoft DHCP server to turn itself off and let the Rogue DHCP server proceed to making a big mess out of the network. Previously I had tried to find the device by using it's IP in a webpage or by telneting to it to get an Idea what it might me. The webpage it gave was a blank page with the words "It Works!" and that was it, it would not answer telnet. My previous efforts to find it involved unplugging computers and devices as close to individually as possible with their network wiring, restarting the SBS DHCP Server and seeing if it stayed running. I narrowed it down to one switch and then it would disappear and not start up again. This happened a couple of weeks in a row.  I gave the customer all of the things to check and he thought he found it about a week later because he disconnected a cable and has been working fine ever since.

 

                Till Yesterday, they started having more and more network problems. So today I left the SBS DHCP server alone after verifying that it was shut off, I pulled an IP from the Rogue device and again tried the webpage and telnet. I Got the same results. This time I decided to use Ping -t to continuously ping the device as I disconnected cables one at a time. I found one cable that when I disconnected it the ping would time out, reconnect and it would again reply. So I left it disconnected, within a minute or two the local know-it-all Mac Graphics guy says he can't connect to anything. So I hooked the cable back up and he was in business so we went to his workstation where they have a hub connecting 3 Macs to the network we unhook his cable and the pings timeout. I tell him he has a DHCP server running on his Mac, he claims up and down he doesn't have anything running. So I ask him how to check services running on a Mac, he doesn't know but finds out how. I go to a windows machine and Google DHCP on a Mac. I go back to him and he has something up showing the services that are running, one is BootP I tell him that is his DHCP server and ask him to check internet sharing. So it turns out mister know-it-all Mac operator had turned on Internet sharing which turns on a DHCP server on a Mac. Hope this helps someone if they are in a mixed environment and the Webpage for the Rogue DHCP Server has nothing on it but "It Works!"