RE: Identifying a computer
From: Optrics Engineering - Shaun Sturby, MCSE (Shaun_at_Optrics.com)
Date: 12/03/03
- Previous message: Mitchell Rowton: "RE: Which CERT to get"
- In reply to: Cheetah: "Identifying a computer"
- Next in thread: Ranjeet Shetye: "Re: Identifying a computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com> Date: Wed, 3 Dec 2003 14:48:49 -0700
Hello,
How big of a LAN is it? If it is a small one you can start a constant ping to
your known IP's and unplug one hub/switch port at a time to identify the
legitimate ports. By a process of elimination you can find your culprit port and
then through your wiring documentation find out which office that system is in.
If they have put in their own hub this wouldn't work but you could just walk
around and look for a new system and a new hub and have your culprit.
Since the system does respond to ARP requests you could also try unplugging one
physical port, clearing your arp table, ping the rogue IP and check your arp
table. If the MAC address appears you know it is not on that port.
If this is a larger LAN and you have managed switches you can use the switch MAC
table or a tool like the Switch Port mapper from SolarWinds (free evaluation
available at http://www.solarwinds.net) to do the same thing, track down which
physical port a rogue system is attached to.
You could also temporarily assign this IP to another system or null route it at
your firewall and see who calls saying 'my new system can't get out to the
internet'.
Hope this gives you some ideas.
Shaun
-----Original Message-----
From: Cheetah [mailto:cheetahx@online.no]
Sent: Wednesday, December 03, 2003 8:38 AM
To: security-basics@securityfocus.com
Subject: Identifying a computer
Hello.
I am helping the sysadmin on my local LAN to manage the network, etc.
We have limited internet-bandwidth, and therefore it is necessary to make
sure no-one
is taking to much of the bandwidth, as others will not be able to use the
internet connection.
For the last 2 days, a new IP has appeared, and it is constantly using a lot
of bandwidth.
We have a linux-server running DHCP, DNS and the internet-connection. I have
checked the
dhcpd.leases file, but the IP isn't there. I have also tried to ping and
scan this IP, but the computer
is running a strong firewall, shows no open ports and doesn't even respond
to pings.
Is there any way I can get some information out of this computer without
running around
and asking everyone what their IP is?
Tore
---------------------------------------------------------------------------
----------------------------------------------------------------------------
_____________________________________________________________
IMail Server has scanned this e-mail for Viruses and SPAM using
Declude Virus & Declude Junkmail available from www.Optrics.com
_____________________________________________________________
IMail Server has scanned this e-mail for Viruses and SPAM using
Declude Virus & Declude Junkmail available from www.Optrics.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Mitchell Rowton: "RE: Which CERT to get"
- In reply to: Cheetah: "Identifying a computer"
- Next in thread: Ranjeet Shetye: "Re: Identifying a computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
