Re: A beginner Q: Tracking a hacker

From: phn@icke-reklam.ipsec.nu
Date: 03/07/02

  • Next message: letterhead: "Re: how did someone hack in my machine?"

    From: phn@icke-reklam.ipsec.nu
    Date: 7 Mar 2002 17:26:20 GMT
    
    

    Yaacov Fried <yaacovfr@matrix-it.co.il> wrote:
    > On my Unix Machine (Redhat 7.1), I have noticed (using tcpdump) that someone
    > is trying to poke around with a source IP address 172.23.5.228.
    > AFAIK, this address is not routable. Is it a spoofed source address ?
    > So, how does he/she get the responses back ?
    > Since our LAN has no connection to the outside world, It must be someone
    > from inside the LAN, using tcpdump I know the MAC address associated with
    > this IP.
    > Is it the MAC address of the nearest router ?

    Yes.

    Sniff upstrem that router and see where those packets come from.

    If it's a cisco, you can use debug functions to help.

    > Is there any tool that translte MAC to IP (I think 'arp' is useless in this
    > case)

    No, but showing the arp table may reveal info ( if the offender is
    an a LAN adjecent to that router.

    Examining where traffic to 172.23.5.228 via the routing tables is also
    a way.

    > Thanks

    > Jacob Fried

    -- 
    Peter Håkanson         
            IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
               Sorry about my e-mail address, but i'm trying to keep spam out.
    	   Remove "icke-reklam" and it works.
    



    Relevant Pages

    • Re: Any reasons to filter ARP packets?
      ... Just ask the router. ... Yes, as soon as the router gets its hands on your MAC address, it saves ... (which appears to be quite common in the LAN). ... needs to get to know MAC addresses of *all* hosts in the LAN. ...
      (comp.os.linux.security)
    • Re: WR850G as wireless bridge?
      ... I've upgraded the router to 6.1.4 and tried to get this working. ... My main router is a Barricade 802.11b. ... I've assigned it a LAN IP ... a totally made up MAC and it reported that as "up" also. ...
      (alt.internet.wireless)
    • Re: Linksys BEFSR41 weirdness
      ... >>> Is that same NIC card now attached to the router? ... >>> have two nodes on your LAN with duplicate MAC addresses. ...
      (comp.security.firewalls)
    • Re: Linksys BEFSR41 weirdness
      ... >> Is that same NIC card now attached to the router? ... >> have two nodes on your LAN with duplicate MAC addresses. ... I've previously used the Linksys router and copied over the MAC ...
      (comp.security.firewalls)
    • Re: Linksys BEFSR41 weirdness
      ... Answered one of my questions about the copied over MAC ... I have a BEFW11SR4 v.2 wireless router. ... Can't see any computers on the LAN, ...
      (comp.security.firewalls)