Solved

Rogue machine on network

Posted on 2011-02-15
5
474 Views
Last Modified: 2012-05-11
I'm chasing down a virus outbreak on my network.  I've got 1 machine out there that I know is infected, but no one knows what it is or where it is.  I know it is in our corporate offices, it's name and it's IP address, but that is it.  I've completed a physical inventory, but our offices are large and it would be very easy to miss a machine that wasn't where it was supposed to be.  For instance, it could be stuck in the back of an electrical closet, under a desk or something like that.  It doesn't appear to be part of my domain, so I can't remotely shut it down.  Does anyone have any ideas how to find it or to shut it down?  Any help would be GREATLY appreciated.  THX
0
Comment
Question by:SPIRAXADMIN
5 Comments
 
LVL 10

Accepted Solution

by:
ChopperCentury earned 500 total points
ID: 34897390
Log into your switch.
ping the IP address
Do a show arp (or whatever the effective command is)
Find the mac address that is associated with the IP Address from the ARP table
Then show the Mac-address table in the switch and find the MAC Address...this should give you a port number on the switch where the device is sitting.
If the device is local on that switch, just shut the port down and trace it from your patch panel. If the mac list shows the ip address sitting on a trunk port that connects to another switch....then log into that switch and repeat the process until you find the local port.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34897393
If you have the MAC address you might be able to screen it from the network with the router or something. Somebody is bound to complain about losing their connection.
0
 
LVL 5

Expert Comment

by:Chris-Vielife
ID: 34897460

  Two ways that spring to mind. If you have local admin rights to all your machines on the network.

Do a remote shutdown

1: Windows XP Detailed below.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysprop_to_perform_a_remote_reboot.mspx?mfr=true 

2: If your network is properly documented and you have managed switches you could ask your network engineer to tell you which switch the IP is located at and on what port. From there is the more interesting task of following patch leads and then to the floor patch reference.  
0
 
LVL 6

Expert Comment

by:mslunecka
ID: 34897472
If you've got the IP and Computer Name can you find the MAC address of the device?

If so you can create a reservation in DHCP and assign it an address that won't route anywhere on your network, like 127.0.0.1 or something like that.

If you've got managed switches that each work within a specific subnet that should narrow your search down, and then you can find what port on the switch the device is connected to and physically disconnect it.  If your cabling is well labeled that might also tell you the location where the device is connected.

If it's on the wireless you should be able to narrow it down to a specific AP that it's connected to.  Likewise you can probably ban a specific mac address on your AP's web interface.
0
 

Expert Comment

by:AJODOHERTY
ID: 34897701
The first thing to do is, ascertain the MAC Address(s) of the device; the easiest way to do this, assuming that your network uses DHCP, is to check the Server hosting DHCP and obtain the MAC by cross referencing the IP address with the leased addresses (this should show the MAC address). Next, if you have managed Network switches, you should be able to log into these (maybe one switch at a time) and review the per port traffic - eventually, you will find the port that is servicing this MAC - finally trace the structured cabling to the culprit.

If you get stuck, let me know at which point and we'll try alternatives.

A
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remote access problem to camera controller 9 66
Changing password for HP switch 5 66
can't ssh to external IP 9 59
Server 2016 WSUS 7 21
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question