Security Basics mailing list archives

RE: Identifying a computer

From: "Optrics Engineering - Shaun Sturby, MCSE" <Shaun () Optrics com>
Date: Wed, 3 Dec 2003 14:48:49 -0700

Hello,

How big of a LAN is it? If it is a small one you can start a constant ping to
your known IP's and unplug one hub/switch port at a time to identify the
legitimate ports. By a process of elimination you can find your culprit port and
then through your wiring documentation find out which office that system is in.
If they have put in their own hub this wouldn't work but you could just walk
around and look for a new system and a new hub and have your culprit.

Since the system does respond to ARP requests you could also try unplugging one
physical port, clearing your arp table, ping the rogue IP and check your arp
table. If the MAC address appears you know it is not on that port.

If this is a larger LAN and you have managed switches you can use the switch MAC
table or a tool like the Switch Port mapper from SolarWinds (free evaluation
available at http://www.solarwinds.net) to do the same thing, track down which
physical port a rogue system is attached to.

You could also temporarily assign this IP to another system or null route it at
your firewall and see who calls saying 'my new system can't get out to the
internet'.

Hope this gives you some ideas.

Shaun

-----Original Message-----
From: Cheetah [mailto:cheetahx () online no]
Sent: Wednesday, December 03, 2003 8:38 AM
To: security-basics () securityfocus com
Subject: Identifying a computer


Hello.

I am helping the sysadmin on my local LAN to manage the network, etc.
We have limited internet-bandwidth, and therefore it is necessary to make
sure no-one
is taking to much of the bandwidth, as others will not be able to use the
internet connection.

For the last 2 days, a new IP has appeared, and it is constantly using a lot
of bandwidth.
We have a linux-server running DHCP, DNS and the internet-connection. I have
checked the
dhcpd.leases file, but the IP isn't there. I have also tried to ping and
scan this IP, but the computer
is running a strong firewall, shows no open ports and doesn't even respond
to pings.

Is there any way I can get some information out of this computer without
running around
and asking everyone what their IP is?

Tore



---------------------------------------------------------------------------
----------------------------------------------------------------------------

_____________________________________________________________

IMail Server has scanned this e-mail for Viruses and SPAM using
Declude Virus & Declude Junkmail available from www.Optrics.com




_____________________________________________________________

IMail Server has scanned this e-mail for Viruses and SPAM using  
Declude Virus & Declude Junkmail available from www.Optrics.com  


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Epithet Steve . Kirby (Dec 02)
- Re: Epithet Alexander Lukyanenko (Dec 02)
  - Identifying a computer Cheetah (Dec 03)
    - Re: Identifying a computer Bryan Allen (Dec 03)
    - RE: Identifying a computer Optrics Engineering - Shaun Sturby, MCSE (Dec 03)
    - Re: Identifying a computer Ranjeet Shetye (Dec 03)
    - Re: Identifying a computer ~Kevin Davis³ (Dec 04)
    - Re: Identifying a computer Ranjeet Shetye (Dec 05)
    - RE: Identifying a computer David Gillett (Dec 03)
    - Re: Identifying a computer Tim Willard (Dec 03)
    - RE: Identifying a computer Jason Balicki (Dec 04)
    - Re: Identifying a computer Meritt James (Dec 05)
    - RE: Identifying a computer Duston Sickler (Dec 04)
    - Re: Identifying a computer Andy Cuff [Talisker] (Dec 04)
    - Re: Identifying a computer David Glosser (Dec 19)

(Thread continues...)