Identifying unkown computers on network

Posted on 2009-02-19
Last Modified: 2012-05-06
I am an IT person at a hospital and recently have found some interesting security logs in our server, which is 2003. It seems that someone has been attempting to hack into our network, I have their ips and everything and so far they are just using bogus account names.  But since I found this I decided I better look around and see if anything else has happened and there seem to be a few unknown computers in a workgroup, not our domain, but in the workgroup. I have the computer names and they are very generic names, I can also get their ips. Basically I need to know how to get further details on them, such as possible clues to where they are and how they are connected to us, and how to remove them.  As far as I know we do not have any open wireless connections, there is also a vpn connection but that has been disabled for the time being, and the firewall is setup to block pretty much all incoming connections.
Question by:badlandselectronics
    LVL 8

    Expert Comment

    First of all, you have to determine if those foreign machines use ip adresses from your own range or external addresses. The latter indicates that the machines are outside of your network and you probably have a leak in your firewall settings.
    Second, you can try and traceroute (windows command tracert) the ip adresses to see were they are located in the logical network.
    If you have manageable switches, you can probably query those for the devices connected to them and determine the network port in this way. Otherwise, it might be hard to exactly determine where those machines are located.

    So far, your description of your system is fairly generic. Giving us more information about your network topology and the devices in use, we could probably elaborate more ways of helping you.

    Author Comment

    I'm not quite sure what the setup here is I am still rather green and the previous employee left on bad terms so their was no training.  As far as equipment we have mainly just a couple switches and a router.  The ips of the machines are local, but i have went through and documented all machines and they all have standerd names to state where they are located, but the computers in question look to have factory names yet i.e. hp-487de4, then their is one called homefree witch is the one that bothers me. I have done the trace route and that just displays their ip and nothing more.
    LVL 8

    Accepted Solution

    Ok then, if traceroute shows only one hop (try tracert on or something to see how it looks with multiple hops), then the computer is connected to the same network segement as yours, with not routers in between. If it doesn't show any hop at all, it will also not be reachable with ping, and it either is not connected to the network currently (possibly powered off), or it blocks icmp messages with it's firewall.
    As said, if your switches are manageable, they have an admin interface which is usually accessible via telnet and/or http. The switches than have an ip address of their own, which you must find out to connect to them. In these interface, it is probably possible to see which client ip is connected to which port of the switch, which should help you locate the remote computer.

    Additionally, you can try portscanning the unknown computers with nmap (windows frontend is available here: As command, enter 'nmap -O ip_address' and press scan. Nmap then scans the ip address and tries to guess which machine type and operating system the remote computer has, which possibly gives you additional hints about what you are dealing with.

    NB: The host names like hp-487de4 could be hp printers connected to the network.
    LVL 38

    Expert Comment

    by:Rich Rumble
    You need to locate them physically and find out who put them there. Your switches can tell you what MAC address is on which port. What kind of switches do you have, cisco? If your switches are not manageable, then you need managable switches if you ever hope to be secure. Once you have the mac to switch port you can trace that port down to a room and find the pc.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now