Re: rogue IP address

From: Jeff Harris (jharris_at_rallycentral.us)
Date: 05/03/03

  • Next message: Karma: "Re: Different Outputs using different Portscanners..."
    Date: Fri, 2 May 2003 16:30:34 -0700 (PDT)
    To: security-basics@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Fri, 2 May 2003, Duston Sickler wrote:

    |Did LANguard give you a MAC address of the offending NIC? If so you can
    |look for the station that way if you have documented them. You could also
    |send an Administrative email out to all users specifying how to locate the
    |MAC address on the OS they run and have them email you back. When you find
    |the MAC you have your user.
    |
    |Good luck,
    |
    |Duston Sickler
    |----- Original Message -----
    |From: "Dave" <david.morris@curvalue.nl>
    |To: <security-basics@securityfocus.com>
    |Sent: Friday, May 02, 2003 2:48 AM
    |Subject: Re: rogue IP address
    |
    |
    |Hi,
    |I know it is not scientific, and probably offends some people but it does
    |work. (For up to a few hundred ports).
    |
    |/Dave
    |
    |On Thursday 01 May 2003 00:40, dondon@pacbell.net wrote:
    |> Someone on our network assigned an IP address to their own system without
    |> my knowledge. Using LANguard network scanner, the best I can tell is that
    |> it's a Linux box. The port-to-IP mapping table on our Asante switch
    |> doesn't see to work correctly.
    |>
    |> Any suggestions on tracing down that system that is associated with the IP
    |> is appreciated!
    |>
    |> Andy
    |>

    Depending on the size of your company, it might be more effective to use
    some social engineering to get rid of the offending box. Put the word out
    that you're beginning the IT inventory check, and that techs will be
    checking each piece of equipment to make sure that it's where it's
    supposed to be. Hopefully the machine will disappear, and you can use
    changes in log files to identify the location of the offending host.

    In the meantime, make sure you have a company policy memo about
    "appropriate resources of company property," and lock down your firewalls
    and routers. If you're lucky, you just might find the offending box,
    realize that it doesn't have a property sticker, and confiscate it,
    pending investigation.

    Jeff

    - --
    Registered Linux user #304026.
    "lynx -source http://jharris.rallycentral.us/jharris.asc | gpg --import"
    or "gpg --keyserver pgp.mit.edu --recv-key B0890FED"
    Key fingerprint = 52FC 20BD 025A 8C13 5FC6 68C6 9CF9 46C2 B089 0FED
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)
    Comment: Made with pgp4pine 1.76

    iD8DBQE+sv+dnPlGwrCJD+0RAoeLAJ48Ksf8d3UdLEhvjplTug/GkqWL/ACgtKP+
    ndviFjpJw8PmSe+RQfv8npE=
    =nMa7
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry's most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-security-basics
    ----------------------------------------------------------------------------


  • Next message: Karma: "Re: Different Outputs using different Portscanners..."