StudentCity
asked on
How to kill Zombies? (ip zombies that is)
hi everybody,
so recently we found out one of our computers was sending out spam.
we created the rule to block port 25 and had everybody change their outlook settings and what not, well this morning i was checking the firewall logs, and found 2 computers constantly hitting port 25, i took care of one, but the second one, well the second one is a freaking ghost!
the internal Ip is 10.80.2.82.
when pinged the request times out, it is not in the address leases on dhcp, but it still is hitting the firewall.
how can i pin down this computer and resolve the issue?
Log segment:
attached:
Firewall-Log.xls
so recently we found out one of our computers was sending out spam.
we created the rule to block port 25 and had everybody change their outlook settings and what not, well this morning i was checking the firewall logs, and found 2 computers constantly hitting port 25, i took care of one, but the second one, well the second one is a freaking ghost!
the internal Ip is 10.80.2.82.
when pinged the request times out, it is not in the address leases on dhcp, but it still is hitting the firewall.
how can i pin down this computer and resolve the issue?
Log segment:
attached:
Firewall-Log.xls
Last Comment
ASKER
hi Chris-Dent
Unfortunately, no, our Switches are not manageable.... i think, well i have 2 Linksys 48-port 10/100/1000 + 4 shared 2 775.49 mini-Gigabit Switch with WebView SRW2048 - switch - 48 ports
and i don't have the MAC address since i can't resolve the IP
Unfortunately, no, our Switches are not manageable.... i think, well i have 2 Linksys 48-port 10/100/1000 + 4 shared 2 775.49 mini-Gigabit Switch with WebView SRW2048 - switch - 48 ports
and i don't have the MAC address since i can't resolve the IP
You'll have a MAC if it's talking to the Firewall, you'd have to capture the packet, but the MAC will be in there. Not to worry, it's not relevant if you couldn't trace it.
Port Scan the host and see if it reveals anything? Perhaps grab nmap from here:
http://nmap.org/
Bit of a long shot, but might give some clues to it's identity. Might help you identify the OS at least.
I take it you've tried opening an SMTP connection back to it? Unlikely that it's operating if it's malicious, but worth a shot.
Chris
ASKER
Using a show arp on the firewall i found the MAC
scity-asa# show arp
outside 65.219.218.193 0019.e8ba.32e8
inside 10.80.2.82 001a.70de.a2ec
scity-asa# show arp
outside 65.219.218.193 0019.e8ba.32e8
inside 10.80.2.82 001a.70de.a2ec
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
DNS
The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.
29K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Are your switches managed? Do you have a MAC address for that host from your Firewall log?
If the switches are managed, like the Cisco catalyst, they'll have MAC address tables. It'll allow you to find the port the device is attached to, then it's simple a case of tracing physical connections.
Chris