[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How to find a hidden server?

Posted on 2006-05-21
Medium Priority
Last Modified: 2010-04-11
I am a new network manager of 15 pcs.

Mysteriously when I scan inside the network with superscan I find 16 pcs (I get 16 NETBIOS names with 16 IP addresses)

What I know:
I know the IP of that server is
I know every pc IP address
I know that  the firewall (SBOX ver 2.xx ?) route all inbound trafic to (ports 4662 up to 4672)
All pcs have only one network card

What I do not know:
How to find the machine responds to PING
Can I pinpoint it without disturbing the users?
Question by:zolpo
LVL 51

Expert Comment

ID: 16729853
> How to find  ..
hmm, sounds like a silly question: what do you mean by "find"? find where the machine is located physically
LVL 51

Expert Comment

ID: 16729862
if you mean to find in the network topology and you can ensure that there're no machines with more than one NIC, then simply ping each known IP and ping the unknown IP, after that a simple
  arp -a
should show you at least one duplicate MAC (assuming that it is a virtual NIC/IP)

Author Comment

ID: 16729868
yes. I need to shoutdown this server

Should I walk and disconnect every pc one by one or you know a better way?
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 51

Expert Comment

ID: 16729925
>  yes. I need to shoutdown this server
and in the question
> ..  without disturbing the users?
opposed, somehow, isn't it?
LVL 11

Assisted Solution

prueconsulting earned 120 total points
ID: 16730019
Not sure what your infrastructure looks like but if you have a layer 2/3 managed switch you can find what port it is plugged into and shut it down there.

Example Cisco

Show arp - This would list out all the ip addresses with the MAC addresses note the MAC Address you want

show mac-address-table MACADDRESS - this will list the port which the pc in question is physically connected to .. You can then issue a shutdown command on this port.

Then follow that port cable to the patch panel and applicable data jack and voila .. Server.
LVL 51

Expert Comment

ID: 16730048
> Then follow that port cable ..
.. through the cable funnel ...
LVL 81

Assisted Solution

arnold earned 120 total points
ID: 16730553
Depending on the server type (does it have Remote management) you could connect to it remotely (do not shut it down, or you'll be looking for the server to turn it back on).

You could also follow ahoffman's advice and trace the network cable.  You'll eliminate two things at the same time:
1) find your server
2) get a better understanding of the layout.

The IP inquestion can also be a virtual Ip on the firewall that goes to a server that you do not manage.  Asking the people to whom you report should be the first question.
LVL 17

Expert Comment

by:Dushan De Silva
ID: 16730946
Use following "shutdown" command to shutdown remote PC within 1 minute.(For winXP)

%systemroot%\system32\shutdown -t 60

Allows you to shut down or restart a local or remote computer. Used without parameters, shutdown will logoff the current user.

shutdown [{-l|-s|-r|-a}] [-f] [-m [\\ComputerName]] [-t xx] [-c "message"] [-d[u][p]:xx:yy]

Logs off the current user, this is also the defualt. -m ComputerName takes precedence.
Shuts down the local computer.
Reboots after shutdown.
Aborts shutdown. Ignores other parameters, except -l and ComputerName. You can only use -a during the time-out period.
Forces running applications to close.
-m [\\ComputerName]
Specifies the computer that you want to shut down.
-t xx
Sets the timer for system shutdown in xx seconds. The default is 20 seconds.
-c "message"
Specifies a message to be displayed in the Message area of the System Shutdown window. You can use a maximum of 127 characters. You must enclose the message in quotation marks.
-d [u][p]:xx:yy
Lists the reason code for the shutdown. The following table lists the different values.
u  -Indicates a user code.
p  - Indicates a planned shutdown code.
xx - Specifies the major reason code (0-255).
yy - Specifies the minor reason code (0-65536).

Displays help at the command prompt.
If you indicate a major and minor reason code, you must first define these reason codes on each computer for which you plan to use the particular reason. If the reason codes are not defined on the target computer, Event Viewer cannot log the correct reason text.
To shut down \\MyServer in 60 seconds, force running applications to close, restart the computer after shutdown, indicate a user code, indicate that the shutdown is planned, log major reason code 125, and log minor reason code 1, type:

shutdown -r -f -m \\MyServer -t 60 -d up:125:1

Italic                          - Information that the user must supply
Bold                          - Elements that the user must type exactly as shown
Ellipsis (...)                - Parameter that can be repeated several times in a command line
Between brackets ([]) - Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd} - Set of choices from which the user must choose only one
Courier font               - Code or program output

BR Dushan
LVL 32

Accepted Solution

jhance earned 1600 total points
ID: 16731005
It should be fairly easy to locate this server.  I'd take my laptop into the network hub room (i.e. the place where all your network lines come into a patch panel and would plug my laptop into one of the open ports.  Then start pinging the server in question while you disconnect each of the network hubs one at a time.  When the pinging stops, then you know which line the server is on.  Hopefully you have a map of where each line goes.  Go to the termination of that line and the server will be there.
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 160 total points
ID: 16733488
OK - so you have 15 PCs (this has been physically confirmed), but 16 IP addresses?
Are you sure this 16th IP isn't the NIC of a router/switch/firewall?
It could be that 2 IP addresses are assigned to one network card, or maybe one of the PCs has two NICs, or even a wireless connection?

1)  Check that each of the 15 PCs has only one network cable comnig out the back
2)  Run a PING scan, check the ARP table.  Do duplicate MAC addresses appear for the 16th IP?  This would confirm whether or not there are 2 IPs on one NIC
3)  Try 'nbtstat -A' - this will tell you who is logged on (assuming a domain environment)
4)  If you've got the MAC address, find out the vendor via http://coffer.com/mac_find/ - this may help

Author Comment

ID: 16735393

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question