Re: A beginner Q: Tracking a hacker
From: phn@icke-reklam.ipsec.nuDate: 03/07/02
- Previous message: Bernie Cosell: "Re: Restricting access to sockets"
- In reply to: Yaacov Fried: "A beginner Q: Tracking a hacker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: phn@icke-reklam.ipsec.nu Date: 7 Mar 2002 17:26:20 GMT
Yaacov Fried <yaacovfr@matrix-it.co.il> wrote:
> On my Unix Machine (Redhat 7.1), I have noticed (using tcpdump) that someone
> is trying to poke around with a source IP address 172.23.5.228.
> AFAIK, this address is not routable. Is it a spoofed source address ?
> So, how does he/she get the responses back ?
> Since our LAN has no connection to the outside world, It must be someone
> from inside the LAN, using tcpdump I know the MAC address associated with
> this IP.
> Is it the MAC address of the nearest router ?
Yes.
Sniff upstrem that router and see where those packets come from.
If it's a cisco, you can use debug functions to help.
> Is there any tool that translte MAC to IP (I think 'arp' is useless in this
> case)
No, but showing the arp table may reveal info ( if the offender is
an a LAN adjecent to that router.
Examining where traffic to 172.23.5.228 via the routing tables is also
a way.
> Thanks
> Jacob Fried
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
- Next message: letterhead: "Re: how did someone hack in my machine?"
- Previous message: Bernie Cosell: "Re: Restricting access to sockets"
- In reply to: Yaacov Fried: "A beginner Q: Tracking a hacker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
