DHCPD logs show PC's requesting IP addresses from router when they are turned off. Are our log files incorrect?

security networking dhcp logfiles

We have a small office and on checking the router logs I noticed that a number of computers have requested IP address from the office router outside of business hours.

This is the log file output:

188 2016-11-18 06:50:58 DHCPD   Notice  Send ACK to 192.168.1.101
189 2016-11-18 06:50:58 DHCPD   Notice  Recv REQUEST from F8:0F:41:D0:4C:FB
190 2016-11-18 06:50:58 DHCPD   Notice  Send OFFER with ip 192.168.1.101
191 2016-11-18 06:50:58 DHCPD   Notice  Recv DISCOVER from F8:0F:41:D0:4C:FB
192 2016-11-18 06:41:40 DHCPD   Notice  Send ACK to 192.168.1.131
193 2016-11-18 06:41:40 DHCPD   Notice  Recv REQUEST from 64:EB:8C:53:D8:6E
194 2016-11-18 04:45:00 DHCPD   Notice  Send ACK to 192.168.1.143
195 2016-11-18 04:45:00 DHCPD   Notice  Recv REQUEST from 98:EE:CB:03:B8:69
196 2016-11-18 03:58:28 DHCPD   Notice  Send ACK to 192.168.1.143
197 2016-11-18 03:58:28 DHCPD   Notice  Recv REQUEST from 98:EE:CB:03:B8:69
198 2016-11-18 03:40:30 DHCPD   Notice  Send ACK to 192.168.1.111
199 2016-11-18 03:40:29 DHCPD   Notice  Recv REQUEST from F8:0F:41:D0:4D:6E
200 2016-11-18 02:33:52 DHCPD   Notice  Send ACK to 192.168.1.127
201 2016-11-18 02:33:52 DHCPD   Notice  Recv REQUEST from FC:3F:DB:21:34:E2

The employees turn off their computers when finished work. I have confirmed that all but two of the logged MAC addresses belong to computers in our office.

We recently had a security breach. We reset the router, all the admin passwords and the WiFi passwords.

Is it possible that these computers could be turning themselves on outside of business hours and making themselves accessible to people outside of our network?


Ask for the first question asked:

Is it possible that these computers could be turning themselves` …

Yes, computers can turn themselves on and have had this capability for ages. For IBM compatible PCs this is normal since they got ATX PSU's. (About since 1995). If you go to the motherboards firmware (aka BIOS or UEFI) you often have an option configure this. Quite useful if you have an old PC and want it to power up and boot before you get to the office.

The second part of your question

… and making themselves accessible to people outside of our network?

is independent from the first part. If that happens when the computers power on (regardless of whether they powered on by itself or by you pressing the power button) then you have a problem. If that is the case then the security breach has not been fixed yet.

Lastly, if you got the MAC address then you can look to the first three bytes. They will tell you which manufacturers made the network card that is requesting the IP. This can help to identify the source (e.g. only DHCP reqs from printers, or from mobile (personal?) phones…

I looked up the addresses in your post:

MAC addresses starting with F8:0F:41 or with 98:EE:CB belong to Wistron InfoComm. According to Wikipedia this firm makes tablets, mobile phones and other devices running the Chrome OS.

MAC addresses starting with 64:EB:8C belong to Seiko Epson Corporation. Those might be printers (then again, printers probably have their own IP range in an office, though possibly with a reserved MAC → IP on the DHCP server).

MAC addresses starting with 4C:A1:61 belong to Rain Bird Corporation. Every search I did on that name resulted in a sprinkler firm.

Finally:

Are our logfiles incorrect?

I doubt that. Somethings seem to be requesting IP information. This is being logged. No fault in the logging. The bigger problem is why are they doing that out of office hours? Is there a lawn sprinkler system which is powered on all day (and which is probably supposed to be on 24/7)? Are there printers which are not powered off but instead go to sleep mode? Are there laptops or PCs which do not get properly turned off but which instead go to a low power (sleep?) mode, detect low battery and power up in order to go to a deep sleep mode?

Basically, find out which device (should be easy, you got MACs and IPs, so you can either use documentation to look up which PCs it is, or use the router to find out which device it is). Then research further from that last devices. (In the case of a windows computer try powercfg lastwake).

Related

Syncing between C drive and phone with robocopy
FarManager 3: export settings AND history
7zip - does it have a case sensitive option?
How can I get Explorer to show thumbnails of GIMP xcf files?
Apache multiple ProxyPass entries in one VirtualHost
Need to disable/enable WiFi adaptor on every startup to make it work
Chrome autofill: first & last name?
Combine all the lines of a text file into a single line via the Windows Command line
Does bash have a hook to determine when child shell exits?
What's the difference between WSL, SFU, SUA/Interix, the POSIX subsystem, and Cygwin
SSH into a namespace, connection refused
Can Intel microcode updates be rolled back?