Solved

Rogue machine on network

Posted on 2011-02-15
5
475 Views
Last Modified: 2012-05-11
I'm chasing down a virus outbreak on my network.  I've got 1 machine out there that I know is infected, but no one knows what it is or where it is.  I know it is in our corporate offices, it's name and it's IP address, but that is it.  I've completed a physical inventory, but our offices are large and it would be very easy to miss a machine that wasn't where it was supposed to be.  For instance, it could be stuck in the back of an electrical closet, under a desk or something like that.  It doesn't appear to be part of my domain, so I can't remotely shut it down.  Does anyone have any ideas how to find it or to shut it down?  Any help would be GREATLY appreciated.  THX
0
Comment
Question by:SPIRAXADMIN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Accepted Solution

by:
ChopperCentury earned 500 total points
ID: 34897390
Log into your switch.
ping the IP address
Do a show arp (or whatever the effective command is)
Find the mac address that is associated with the IP Address from the ARP table
Then show the Mac-address table in the switch and find the MAC Address...this should give you a port number on the switch where the device is sitting.
If the device is local on that switch, just shut the port down and trace it from your patch panel. If the mac list shows the ip address sitting on a trunk port that connects to another switch....then log into that switch and repeat the process until you find the local port.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34897393
If you have the MAC address you might be able to screen it from the network with the router or something. Somebody is bound to complain about losing their connection.
0
 
LVL 5

Expert Comment

by:Chris-Vielife
ID: 34897460

  Two ways that spring to mind. If you have local admin rights to all your machines on the network.

Do a remote shutdown

1: Windows XP Detailed below.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysprop_to_perform_a_remote_reboot.mspx?mfr=true 

2: If your network is properly documented and you have managed switches you could ask your network engineer to tell you which switch the IP is located at and on what port. From there is the more interesting task of following patch leads and then to the floor patch reference.  
0
 
LVL 6

Expert Comment

by:mslunecka
ID: 34897472
If you've got the IP and Computer Name can you find the MAC address of the device?

If so you can create a reservation in DHCP and assign it an address that won't route anywhere on your network, like 127.0.0.1 or something like that.

If you've got managed switches that each work within a specific subnet that should narrow your search down, and then you can find what port on the switch the device is connected to and physically disconnect it.  If your cabling is well labeled that might also tell you the location where the device is connected.

If it's on the wireless you should be able to narrow it down to a specific AP that it's connected to.  Likewise you can probably ban a specific mac address on your AP's web interface.
0
 

Expert Comment

by:AJODOHERTY
ID: 34897701
The first thing to do is, ascertain the MAC Address(s) of the device; the easiest way to do this, assuming that your network uses DHCP, is to check the Server hosting DHCP and obtain the MAC by cross referencing the IP address with the leased addresses (this should show the MAC address). Next, if you have managed Network switches, you should be able to log into these (maybe one switch at a time) and review the per port traffic - eventually, you will find the port that is servicing this MAC - finally trace the structured cabling to the culprit.

If you get stuck, let me know at which point and we'll try alternatives.

A
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Isolated network on ESXi 6.5 8 127
Configuring NAT in ASA ver. 9.1 4 43
internal SLA's for IT provision 6 31
How to change ESXi 6.5 NIC E1000 to vmxnet3 9 78
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question