Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

Identifying unkown computers on network

I am an IT person at a hospital and recently have found some interesting security logs in our server, which is 2003. It seems that someone has been attempting to hack into our network, I have their ips and everything and so far they are just using bogus account names.  But since I found this I decided I better look around and see if anything else has happened and there seem to be a few unknown computers in a workgroup, not our domain, but in the workgroup. I have the computer names and they are very generic names, I can also get their ips. Basically I need to know how to get further details on them, such as possible clues to where they are and how they are connected to us, and how to remove them.  As far as I know we do not have any open wireless connections, there is also a vpn connection but that has been disabled for the time being, and the firewall is setup to block pretty much all incoming connections.
0
badlandselectronics
Asked:
badlandselectronics
  • 2
1 Solution
 
McNeticCommented:
First of all, you have to determine if those foreign machines use ip adresses from your own range or external addresses. The latter indicates that the machines are outside of your network and you probably have a leak in your firewall settings.
Second, you can try and traceroute (windows command tracert) the ip adresses to see were they are located in the logical network.
If you have manageable switches, you can probably query those for the devices connected to them and determine the network port in this way. Otherwise, it might be hard to exactly determine where those machines are located.

So far, your description of your system is fairly generic. Giving us more information about your network topology and the devices in use, we could probably elaborate more ways of helping you.
0
 
badlandselectronicsAuthor Commented:
I'm not quite sure what the setup here is I am still rather green and the previous employee left on bad terms so their was no training.  As far as equipment we have mainly just a couple switches and a router.  The ips of the machines are local, but i have went through and documented all machines and they all have standerd names to state where they are located, but the computers in question look to have factory names yet i.e. hp-487de4, then their is one called homefree witch is the one that bothers me. I have done the trace route and that just displays their ip and nothing more.
0
 
McNeticCommented:
Ok then, if traceroute shows only one hop (try tracert on google.com or something to see how it looks with multiple hops), then the computer is connected to the same network segement as yours, with not routers in between. If it doesn't show any hop at all, it will also not be reachable with ping, and it either is not connected to the network currently (possibly powered off), or it blocks icmp messages with it's firewall.
As said, if your switches are manageable, they have an admin interface which is usually accessible via telnet and/or http. The switches than have an ip address of their own, which you must find out to connect to them. In these interface, it is probably possible to see which client ip is connected to which port of the switch, which should help you locate the remote computer.

Additionally, you can try portscanning the unknown computers with nmap (windows frontend is available here: http://nmap.org/zenmap). As command, enter 'nmap -O ip_address' and press scan. Nmap then scans the ip address and tries to guess which machine type and operating system the remote computer has, which possibly gives you additional hints about what you are dealing with.

NB: The host names like hp-487de4 could be hp printers connected to the network.
0
 
Rich RumbleSecurity SamuraiCommented:
You need to locate them physically and find out who put them there. Your switches can tell you what MAC address is on which port. What kind of switches do you have, cisco? If your switches are not manageable, then you need managable switches if you ever hope to be secure. Once you have the mac to switch port you can trace that port down to a room and find the pc.
-rich
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now