none
how do I find "Changed IP" on Servers ? RRS feed

  • Question

  • Hello,

    Here is the scenario, on our couple of customer servers someone changed the IPs ( Static IPs obviuosly ). 

    Now, to investigate this issue, we would like to identify who has changed the IPs and what IPs were assigned to these servers initially ? We have a large infrastructure so its difficult for us to point in one direction.  We even tried to verify the IP details through asset inventory but as those were very old servers, I couldnt fetch any useful information out of it. Customer always used to access these servers through hostnames so didnt realize immediately that IPs have been changed ! We came to know that when customer reported this to us. Unfortunately customer doesn't know the old IPs as well.

    My question here is, is there a way to identify old IPs allocated on those servers ? like through event IDs or by any other means ?

    Thanks


    ~ Knowledge Seeker
    Friday, January 13, 2012 2:48 PM

Answers

  • Hi K Seeker,

     

    Thanks for posting here.

     

    For Windows 2008/08 R2 server, if the IP Helper services is started, when we change the IP address it will generate a log located in system logs.

    Example:

     

    Event ID 4200
    Source:  iphlpsvc
    General Properties:  Isatap interface isatap.{E44C1DBE-13B1-4EEE-88E5-402822E5EECF} with address fe80::5efe:192.168.0.1 has been brought up.

     

    This may helped if we need to find the previous IP address of this server. For earlier version OS, this service is not exists. So change IP address will not generate an Event log. And I haven’t found easy way to check the old IP address.

     

    In addition, you may consider to using Group Policy to restrict users change IP address of this server.

     

    User Configuration\Administrator Templates\Network\Network Connections

     

    Settings:

     

    -Prohibit access to properties of components of a LAN connection

    -Prohibit TCP/IP advanced configuration

    -Prohibit access to properties of a LAN connection

     

    I would implement this as a domain user policy and configure it so that it would not apply to administrators. Hope it helps.

     

     

    Best Regards,

    Aiden

    • Marked as answer by Jayawardhane Thursday, January 19, 2012 4:47 AM
    Monday, January 16, 2012 8:56 AM
    Moderator
  • Here is the scenario, on our couple of customer servers someone
    changed the IPs ( Static IPs obviuosly ). 

    To change the IP you must have admin credentials, so, given that you
    enabled the logon/logoff events logging you should be able to check who
    logged onto the box(es) and from which IPs and find who changed the IP
    address for the servers

    • Marked as answer by Jayawardhane Thursday, January 19, 2012 4:47 AM
    Wednesday, January 18, 2012 2:18 PM

All replies

  • check the DNS server server some times if its not scavanged the old ip address should be there pointing to your server
    http://www.virmansec.com/blogs/skhairuddin
    Friday, January 13, 2012 4:06 PM
  • I verified Host entries on our DNS server, unfortunately new IPs are updated in the records.
    ~ Knowledge Seeker
    Friday, January 13, 2012 4:19 PM
  • Hi K Seeker,

     

    Thanks for posting here.

     

    For Windows 2008/08 R2 server, if the IP Helper services is started, when we change the IP address it will generate a log located in system logs.

    Example:

     

    Event ID 4200
    Source:  iphlpsvc
    General Properties:  Isatap interface isatap.{E44C1DBE-13B1-4EEE-88E5-402822E5EECF} with address fe80::5efe:192.168.0.1 has been brought up.

     

    This may helped if we need to find the previous IP address of this server. For earlier version OS, this service is not exists. So change IP address will not generate an Event log. And I haven’t found easy way to check the old IP address.

     

    In addition, you may consider to using Group Policy to restrict users change IP address of this server.

     

    User Configuration\Administrator Templates\Network\Network Connections

     

    Settings:

     

    -Prohibit access to properties of components of a LAN connection

    -Prohibit TCP/IP advanced configuration

    -Prohibit access to properties of a LAN connection

     

    I would implement this as a domain user policy and configure it so that it would not apply to administrators. Hope it helps.

     

     

    Best Regards,

    Aiden

    • Marked as answer by Jayawardhane Thursday, January 19, 2012 4:47 AM
    Monday, January 16, 2012 8:56 AM
    Moderator
  • Here is the scenario, on our couple of customer servers someone
    changed the IPs ( Static IPs obviuosly ). 

    To change the IP you must have admin credentials, so, given that you
    enabled the logon/logoff events logging you should be able to check who
    logged onto the box(es) and from which IPs and find who changed the IP
    address for the servers

    • Marked as answer by Jayawardhane Thursday, January 19, 2012 4:47 AM
    Wednesday, January 18, 2012 2:18 PM
  • Aiden, ObiWan- Thanks. Both of your suggestions were helpful !

    I also figured out another way of identifying changed IP. I verified old ACLs on configured Firewall which had Server's hostname associated with it.

    Thanks


    ~ Knowledge Seeker
    Thursday, January 19, 2012 4:49 AM
  • Aiden, ObiWan- Thanks. Both of your suggestions were helpful !

    I also figured out another way of identifying changed IP. I verified old ACLs on configured Firewall which had Server's hostname associated with it.


    You're welcome, and happy to know you solved the puzzle; also, since we're at it, I think you may consider setting up a trigger (e.g. using the task scheduler) so that whenever some particular events will be logged (e.g. admin logon or so) you may fire up a task and, for example, run a script to generate a log or send an email (or both) ... and so on; this will allow you to monitor the box and quickly solve whatever future similar issue.
    Thursday, January 19, 2012 10:47 AM