Security Basics mailing list archives
RE: Identifying a computer
From: "Optrics Engineering - Shaun Sturby, MCSE" <Shaun () Optrics com>
Date: Wed, 3 Dec 2003 14:48:49 -0700
Hello, How big of a LAN is it? If it is a small one you can start a constant ping to your known IP's and unplug one hub/switch port at a time to identify the legitimate ports. By a process of elimination you can find your culprit port and then through your wiring documentation find out which office that system is in. If they have put in their own hub this wouldn't work but you could just walk around and look for a new system and a new hub and have your culprit. Since the system does respond to ARP requests you could also try unplugging one physical port, clearing your arp table, ping the rogue IP and check your arp table. If the MAC address appears you know it is not on that port. If this is a larger LAN and you have managed switches you can use the switch MAC table or a tool like the Switch Port mapper from SolarWinds (free evaluation available at http://www.solarwinds.net) to do the same thing, track down which physical port a rogue system is attached to. You could also temporarily assign this IP to another system or null route it at your firewall and see who calls saying 'my new system can't get out to the internet'. Hope this gives you some ideas. Shaun -----Original Message----- From: Cheetah [mailto:cheetahx () online no] Sent: Wednesday, December 03, 2003 8:38 AM To: security-basics () securityfocus com Subject: Identifying a computer Hello. I am helping the sysadmin on my local LAN to manage the network, etc. We have limited internet-bandwidth, and therefore it is necessary to make sure no-one is taking to much of the bandwidth, as others will not be able to use the internet connection. For the last 2 days, a new IP has appeared, and it is constantly using a lot of bandwidth. We have a linux-server running DHCP, DNS and the internet-connection. I have checked the dhcpd.leases file, but the IP isn't there. I have also tried to ping and scan this IP, but the computer is running a strong firewall, shows no open ports and doesn't even respond to pings. Is there any way I can get some information out of this computer without running around and asking everyone what their IP is? Tore --------------------------------------------------------------------------- ---------------------------------------------------------------------------- _____________________________________________________________ IMail Server has scanned this e-mail for Viruses and SPAM using Declude Virus & Declude Junkmail available from www.Optrics.com _____________________________________________________________ IMail Server has scanned this e-mail for Viruses and SPAM using Declude Virus & Declude Junkmail available from www.Optrics.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Epithet Steve . Kirby (Dec 02)
- Re: Epithet Alexander Lukyanenko (Dec 02)
- Identifying a computer Cheetah (Dec 03)
- Re: Identifying a computer Bryan Allen (Dec 03)
- RE: Identifying a computer Optrics Engineering - Shaun Sturby, MCSE (Dec 03)
- Re: Identifying a computer Ranjeet Shetye (Dec 03)
- Re: Identifying a computer ~Kevin DavisĀ³ (Dec 04)
- Re: Identifying a computer Ranjeet Shetye (Dec 05)
- Identifying a computer Cheetah (Dec 03)
- RE: Identifying a computer David Gillett (Dec 03)
- Re: Identifying a computer Tim Willard (Dec 03)
- RE: Identifying a computer Jason Balicki (Dec 04)
- Re: Identifying a computer Meritt James (Dec 05)
- Re: Epithet Alexander Lukyanenko (Dec 02)
- RE: Identifying a computer Duston Sickler (Dec 04)
- Re: Identifying a computer Andy Cuff [Talisker] (Dec 04)
- Re: Identifying a computer David Glosser (Dec 19)