How to find a hidden server?

I am a new network manager of 15 pcs.

Mysteriously when I scan inside the network with superscan I find 16 pcs (I get 16 NETBIOS names with 16 IP addresses)

What I know:
I know the IP of that server is
I know every pc IP address
I know that  the firewall (SBOX ver 2.xx ?) route all inbound trafic to (ports 4662 up to 4672)
All pcs have only one network card

What I do not know:
How to find the machine responds to PING
Can I pinpoint it without disturbing the users?
Who is Participating?
It should be fairly easy to locate this server.  I'd take my laptop into the network hub room (i.e. the place where all your network lines come into a patch panel and would plug my laptop into one of the open ports.  Then start pinging the server in question while you disconnect each of the network hubs one at a time.  When the pinging stops, then you know which line the server is on.  Hopefully you have a map of where each line goes.  Go to the termination of that line and the server will be there.
> How to find  ..
hmm, sounds like a silly question: what do you mean by "find"? find where the machine is located physically
if you mean to find in the network topology and you can ensure that there're no machines with more than one NIC, then simply ping each known IP and ping the unknown IP, after that a simple
  arp -a
should show you at least one duplicate MAC (assuming that it is a virtual NIC/IP)
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

zolpoAuthor Commented:
yes. I need to shoutdown this server

Should I walk and disconnect every pc one by one or you know a better way?
>  yes. I need to shoutdown this server
and in the question
> ..  without disturbing the users?
opposed, somehow, isn't it?
Not sure what your infrastructure looks like but if you have a layer 2/3 managed switch you can find what port it is plugged into and shut it down there.

Example Cisco

Show arp - This would list out all the ip addresses with the MAC addresses note the MAC Address you want

show mac-address-table MACADDRESS - this will list the port which the pc in question is physically connected to .. You can then issue a shutdown command on this port.

Then follow that port cable to the patch panel and applicable data jack and voila .. Server.
> Then follow that port cable ..
.. through the cable funnel ...
Depending on the server type (does it have Remote management) you could connect to it remotely (do not shut it down, or you'll be looking for the server to turn it back on).

You could also follow ahoffman's advice and trace the network cable.  You'll eliminate two things at the same time:
1) find your server
2) get a better understanding of the layout.

The IP inquestion can also be a virtual Ip on the firewall that goes to a server that you do not manage.  Asking the people to whom you report should be the first question.
Dushan De SilvaTechnology ArchitectCommented:
Use following "shutdown" command to shutdown remote PC within 1 minute.(For winXP)

%systemroot%\system32\shutdown -t 60

Allows you to shut down or restart a local or remote computer. Used without parameters, shutdown will logoff the current user.

shutdown [{-l|-s|-r|-a}] [-f] [-m [\\ComputerName]] [-t xx] [-c "message"] [-d[u][p]:xx:yy]

Logs off the current user, this is also the defualt. -m ComputerName takes precedence.
Shuts down the local computer.
Reboots after shutdown.
Aborts shutdown. Ignores other parameters, except -l and ComputerName. You can only use -a during the time-out period.
Forces running applications to close.
-m [\\ComputerName]
Specifies the computer that you want to shut down.
-t xx
Sets the timer for system shutdown in xx seconds. The default is 20 seconds.
-c "message"
Specifies a message to be displayed in the Message area of the System Shutdown window. You can use a maximum of 127 characters. You must enclose the message in quotation marks.
-d [u][p]:xx:yy
Lists the reason code for the shutdown. The following table lists the different values.
u  -Indicates a user code.
p  - Indicates a planned shutdown code.
xx - Specifies the major reason code (0-255).
yy - Specifies the minor reason code (0-65536).

Displays help at the command prompt.
If you indicate a major and minor reason code, you must first define these reason codes on each computer for which you plan to use the particular reason. If the reason codes are not defined on the target computer, Event Viewer cannot log the correct reason text.
To shut down \\MyServer in 60 seconds, force running applications to close, restart the computer after shutdown, indicate a user code, indicate that the shutdown is planned, log major reason code 125, and log minor reason code 1, type:

shutdown -r -f -m \\MyServer -t 60 -d up:125:1

Italic                          - Information that the user must supply
Bold                          - Elements that the user must type exactly as shown
Ellipsis (...)                - Parameter that can be repeated several times in a command line
Between brackets ([]) - Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd} - Set of choices from which the user must choose only one
Courier font               - Code or program output

BR Dushan
Tim HolmanCommented:
OK - so you have 15 PCs (this has been physically confirmed), but 16 IP addresses?
Are you sure this 16th IP isn't the NIC of a router/switch/firewall?
It could be that 2 IP addresses are assigned to one network card, or maybe one of the PCs has two NICs, or even a wireless connection?

1)  Check that each of the 15 PCs has only one network cable comnig out the back
2)  Run a PING scan, check the ARP table.  Do duplicate MAC addresses appear for the 16th IP?  This would confirm whether or not there are 2 IPs on one NIC
3)  Try 'nbtstat -A' - this will tell you who is logged on (assuming a domain environment)
4)  If you've got the MAC address, find out the vendor via - this may help
zolpoAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.