Re: A beginner Q: Tracking a hacker

From: phn@icke-reklam.ipsec.nu
Date: 03/07/02

  • Next message: letterhead: "Re: how did someone hack in my machine?"

    From: phn@icke-reklam.ipsec.nu
    Date: 7 Mar 2002 17:26:20 GMT
    
    

    Yaacov Fried <yaacovfr@matrix-it.co.il> wrote:
    > On my Unix Machine (Redhat 7.1), I have noticed (using tcpdump) that someone
    > is trying to poke around with a source IP address 172.23.5.228.
    > AFAIK, this address is not routable. Is it a spoofed source address ?
    > So, how does he/she get the responses back ?
    > Since our LAN has no connection to the outside world, It must be someone
    > from inside the LAN, using tcpdump I know the MAC address associated with
    > this IP.
    > Is it the MAC address of the nearest router ?

    Yes.

    Sniff upstrem that router and see where those packets come from.

    If it's a cisco, you can use debug functions to help.

    > Is there any tool that translte MAC to IP (I think 'arp' is useless in this
    > case)

    No, but showing the arp table may reveal info ( if the offender is
    an a LAN adjecent to that router.

    Examining where traffic to 172.23.5.228 via the routing tables is also
    a way.

    > Thanks

    > Jacob Fried

    -- 
    Peter Håkanson         
            IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
               Sorry about my e-mail address, but i'm trying to keep spam out.
    	   Remove "icke-reklam" and it works.