We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Identifying unkown computers on network

badlandselectronics
on
Medium Priority
215 Views
Last Modified: 2012-05-06
I am an IT person at a hospital and recently have found some interesting security logs in our server, which is 2003. It seems that someone has been attempting to hack into our network, I have their ips and everything and so far they are just using bogus account names.  But since I found this I decided I better look around and see if anything else has happened and there seem to be a few unknown computers in a workgroup, not our domain, but in the workgroup. I have the computer names and they are very generic names, I can also get their ips. Basically I need to know how to get further details on them, such as possible clues to where they are and how they are connected to us, and how to remove them.  As far as I know we do not have any open wireless connections, there is also a vpn connection but that has been disabled for the time being, and the firewall is setup to block pretty much all incoming connections.
Comment
Watch Question

Commented:
First of all, you have to determine if those foreign machines use ip adresses from your own range or external addresses. The latter indicates that the machines are outside of your network and you probably have a leak in your firewall settings.
Second, you can try and traceroute (windows command tracert) the ip adresses to see were they are located in the logical network.
If you have manageable switches, you can probably query those for the devices connected to them and determine the network port in this way. Otherwise, it might be hard to exactly determine where those machines are located.

So far, your description of your system is fairly generic. Giving us more information about your network topology and the devices in use, we could probably elaborate more ways of helping you.

Author

Commented:
I'm not quite sure what the setup here is I am still rather green and the previous employee left on bad terms so their was no training.  As far as equipment we have mainly just a couple switches and a router.  The ips of the machines are local, but i have went through and documented all machines and they all have standerd names to state where they are located, but the computers in question look to have factory names yet i.e. hp-487de4, then their is one called homefree witch is the one that bothers me. I have done the trace route and that just displays their ip and nothing more.
Commented:
Ok then, if traceroute shows only one hop (try tracert on google.com or something to see how it looks with multiple hops), then the computer is connected to the same network segement as yours, with not routers in between. If it doesn't show any hop at all, it will also not be reachable with ping, and it either is not connected to the network currently (possibly powered off), or it blocks icmp messages with it's firewall.
As said, if your switches are manageable, they have an admin interface which is usually accessible via telnet and/or http. The switches than have an ip address of their own, which you must find out to connect to them. In these interface, it is probably possible to see which client ip is connected to which port of the switch, which should help you locate the remote computer.

Additionally, you can try portscanning the unknown computers with nmap (windows frontend is available here: http://nmap.org/zenmap). As command, enter 'nmap -O ip_address' and press scan. Nmap then scans the ip address and tries to guess which machine type and operating system the remote computer has, which possibly gives you additional hints about what you are dealing with.

NB: The host names like hp-487de4 could be hp printers connected to the network.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
You need to locate them physically and find out who put them there. Your switches can tell you what MAC address is on which port. What kind of switches do you have, cisco? If your switches are not manageable, then you need managable switches if you ever hope to be secure. Once you have the mac to switch port you can trace that port down to a room and find the pc.
-rich
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.