How to find a hidden server?

Posted on 2006-05-21
Last Modified: 2010-04-11
I am a new network manager of 15 pcs.

Mysteriously when I scan inside the network with superscan I find 16 pcs (I get 16 NETBIOS names with 16 IP addresses)

What I know:
I know the IP of that server is
I know every pc IP address
I know that  the firewall (SBOX ver 2.xx ?) route all inbound trafic to (ports 4662 up to 4672)
All pcs have only one network card

What I do not know:
How to find the machine responds to PING
Can I pinpoint it without disturbing the users?
Question by:zolpo
    LVL 51

    Expert Comment

    > How to find  ..
    hmm, sounds like a silly question: what do you mean by "find"? find where the machine is located physically
    LVL 51

    Expert Comment

    if you mean to find in the network topology and you can ensure that there're no machines with more than one NIC, then simply ping each known IP and ping the unknown IP, after that a simple
      arp -a
    should show you at least one duplicate MAC (assuming that it is a virtual NIC/IP)
    LVL 1

    Author Comment

    yes. I need to shoutdown this server

    Should I walk and disconnect every pc one by one or you know a better way?
    LVL 51

    Expert Comment

    >  yes. I need to shoutdown this server
    and in the question
    > ..  without disturbing the users?
    opposed, somehow, isn't it?
    LVL 11

    Assisted Solution

    Not sure what your infrastructure looks like but if you have a layer 2/3 managed switch you can find what port it is plugged into and shut it down there.

    Example Cisco

    Show arp - This would list out all the ip addresses with the MAC addresses note the MAC Address you want

    show mac-address-table MACADDRESS - this will list the port which the pc in question is physically connected to .. You can then issue a shutdown command on this port.

    Then follow that port cable to the patch panel and applicable data jack and voila .. Server.
    LVL 51

    Expert Comment

    > Then follow that port cable ..
    .. through the cable funnel ...
    LVL 76

    Assisted Solution

    Depending on the server type (does it have Remote management) you could connect to it remotely (do not shut it down, or you'll be looking for the server to turn it back on).

    You could also follow ahoffman's advice and trace the network cable.  You'll eliminate two things at the same time:
    1) find your server
    2) get a better understanding of the layout.

    The IP inquestion can also be a virtual Ip on the firewall that goes to a server that you do not manage.  Asking the people to whom you report should be the first question.
    LVL 17

    Expert Comment

    Use following "shutdown" command to shutdown remote PC within 1 minute.(For winXP)

    %systemroot%\system32\shutdown -t 60

    Allows you to shut down or restart a local or remote computer. Used without parameters, shutdown will logoff the current user.

    shutdown [{-l|-s|-r|-a}] [-f] [-m [\\ComputerName]] [-t xx] [-c "message"] [-d[u][p]:xx:yy]

    Logs off the current user, this is also the defualt. -m ComputerName takes precedence.
    Shuts down the local computer.
    Reboots after shutdown.
    Aborts shutdown. Ignores other parameters, except -l and ComputerName. You can only use -a during the time-out period.
    Forces running applications to close.
    -m [\\ComputerName]
    Specifies the computer that you want to shut down.
    -t xx
    Sets the timer for system shutdown in xx seconds. The default is 20 seconds.
    -c "message"
    Specifies a message to be displayed in the Message area of the System Shutdown window. You can use a maximum of 127 characters. You must enclose the message in quotation marks.
    -d [u][p]:xx:yy
    Lists the reason code for the shutdown. The following table lists the different values.
    u  -Indicates a user code.
    p  - Indicates a planned shutdown code.
    xx - Specifies the major reason code (0-255).
    yy - Specifies the minor reason code (0-65536).

    Displays help at the command prompt.
    If you indicate a major and minor reason code, you must first define these reason codes on each computer for which you plan to use the particular reason. If the reason codes are not defined on the target computer, Event Viewer cannot log the correct reason text.
    To shut down \\MyServer in 60 seconds, force running applications to close, restart the computer after shutdown, indicate a user code, indicate that the shutdown is planned, log major reason code 125, and log minor reason code 1, type:

    shutdown -r -f -m \\MyServer -t 60 -d up:125:1

    Italic                          - Information that the user must supply
    Bold                          - Elements that the user must type exactly as shown
    Ellipsis (...)                - Parameter that can be repeated several times in a command line
    Between brackets ([]) - Optional items
    Between braces ({}); choices separated by pipe (|). Example: {even|odd} - Set of choices from which the user must choose only one
    Courier font               - Code or program output

    BR Dushan
    LVL 32

    Accepted Solution

    It should be fairly easy to locate this server.  I'd take my laptop into the network hub room (i.e. the place where all your network lines come into a patch panel and would plug my laptop into one of the open ports.  Then start pinging the server in question while you disconnect each of the network hubs one at a time.  When the pinging stops, then you know which line the server is on.  Hopefully you have a map of where each line goes.  Go to the termination of that line and the server will be there.
    LVL 23

    Assisted Solution

    by:Tim Holman
    OK - so you have 15 PCs (this has been physically confirmed), but 16 IP addresses?
    Are you sure this 16th IP isn't the NIC of a router/switch/firewall?
    It could be that 2 IP addresses are assigned to one network card, or maybe one of the PCs has two NICs, or even a wireless connection?

    1)  Check that each of the 15 PCs has only one network cable comnig out the back
    2)  Run a PING scan, check the ARP table.  Do duplicate MAC addresses appear for the 16th IP?  This would confirm whether or not there are 2 IPs on one NIC
    3)  Try 'nbtstat -A' - this will tell you who is logged on (assuming a domain environment)
    4)  If you've got the MAC address, find out the vendor via - this may help
    LVL 1

    Author Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now