Solved

Rogue machine on network

Posted on 2011-02-15
5
476 Views
Last Modified: 2012-05-11
I'm chasing down a virus outbreak on my network.  I've got 1 machine out there that I know is infected, but no one knows what it is or where it is.  I know it is in our corporate offices, it's name and it's IP address, but that is it.  I've completed a physical inventory, but our offices are large and it would be very easy to miss a machine that wasn't where it was supposed to be.  For instance, it could be stuck in the back of an electrical closet, under a desk or something like that.  It doesn't appear to be part of my domain, so I can't remotely shut it down.  Does anyone have any ideas how to find it or to shut it down?  Any help would be GREATLY appreciated.  THX
0
Comment
Question by:SPIRAXADMIN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Accepted Solution

by:
ChopperCentury earned 500 total points
ID: 34897390
Log into your switch.
ping the IP address
Do a show arp (or whatever the effective command is)
Find the mac address that is associated with the IP Address from the ARP table
Then show the Mac-address table in the switch and find the MAC Address...this should give you a port number on the switch where the device is sitting.
If the device is local on that switch, just shut the port down and trace it from your patch panel. If the mac list shows the ip address sitting on a trunk port that connects to another switch....then log into that switch and repeat the process until you find the local port.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34897393
If you have the MAC address you might be able to screen it from the network with the router or something. Somebody is bound to complain about losing their connection.
0
 
LVL 5

Expert Comment

by:Chris-Vielife
ID: 34897460

  Two ways that spring to mind. If you have local admin rights to all your machines on the network.

Do a remote shutdown

1: Windows XP Detailed below.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysprop_to_perform_a_remote_reboot.mspx?mfr=true 

2: If your network is properly documented and you have managed switches you could ask your network engineer to tell you which switch the IP is located at and on what port. From there is the more interesting task of following patch leads and then to the floor patch reference.  
0
 
LVL 6

Expert Comment

by:mslunecka
ID: 34897472
If you've got the IP and Computer Name can you find the MAC address of the device?

If so you can create a reservation in DHCP and assign it an address that won't route anywhere on your network, like 127.0.0.1 or something like that.

If you've got managed switches that each work within a specific subnet that should narrow your search down, and then you can find what port on the switch the device is connected to and physically disconnect it.  If your cabling is well labeled that might also tell you the location where the device is connected.

If it's on the wireless you should be able to narrow it down to a specific AP that it's connected to.  Likewise you can probably ban a specific mac address on your AP's web interface.
0
 

Expert Comment

by:AJODOHERTY
ID: 34897701
The first thing to do is, ascertain the MAC Address(s) of the device; the easiest way to do this, assuming that your network uses DHCP, is to check the Server hosting DHCP and obtain the MAC by cross referencing the IP address with the leased addresses (this should show the MAC address). Next, if you have managed Network switches, you should be able to log into these (maybe one switch at a time) and review the per port traffic - eventually, you will find the port that is servicing this MAC - finally trace the structured cabling to the culprit.

If you get stuck, let me know at which point and we'll try alternatives.

A
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question