Solved

Rogue machine on network

Posted on 2011-02-15
5
465 Views
Last Modified: 2012-05-11
I'm chasing down a virus outbreak on my network.  I've got 1 machine out there that I know is infected, but no one knows what it is or where it is.  I know it is in our corporate offices, it's name and it's IP address, but that is it.  I've completed a physical inventory, but our offices are large and it would be very easy to miss a machine that wasn't where it was supposed to be.  For instance, it could be stuck in the back of an electrical closet, under a desk or something like that.  It doesn't appear to be part of my domain, so I can't remotely shut it down.  Does anyone have any ideas how to find it or to shut it down?  Any help would be GREATLY appreciated.  THX
0
Comment
Question by:SPIRAXADMIN
5 Comments
 
LVL 10

Accepted Solution

by:
ChopperCentury earned 500 total points
ID: 34897390
Log into your switch.
ping the IP address
Do a show arp (or whatever the effective command is)
Find the mac address that is associated with the IP Address from the ARP table
Then show the Mac-address table in the switch and find the MAC Address...this should give you a port number on the switch where the device is sitting.
If the device is local on that switch, just shut the port down and trace it from your patch panel. If the mac list shows the ip address sitting on a trunk port that connects to another switch....then log into that switch and repeat the process until you find the local port.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34897393
If you have the MAC address you might be able to screen it from the network with the router or something. Somebody is bound to complain about losing their connection.
0
 
LVL 5

Expert Comment

by:Chris-Vielife
ID: 34897460

  Two ways that spring to mind. If you have local admin rights to all your machines on the network.

Do a remote shutdown

1: Windows XP Detailed below.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysprop_to_perform_a_remote_reboot.mspx?mfr=true

2: If your network is properly documented and you have managed switches you could ask your network engineer to tell you which switch the IP is located at and on what port. From there is the more interesting task of following patch leads and then to the floor patch reference.  
0
 
LVL 6

Expert Comment

by:mslunecka
ID: 34897472
If you've got the IP and Computer Name can you find the MAC address of the device?

If so you can create a reservation in DHCP and assign it an address that won't route anywhere on your network, like 127.0.0.1 or something like that.

If you've got managed switches that each work within a specific subnet that should narrow your search down, and then you can find what port on the switch the device is connected to and physically disconnect it.  If your cabling is well labeled that might also tell you the location where the device is connected.

If it's on the wireless you should be able to narrow it down to a specific AP that it's connected to.  Likewise you can probably ban a specific mac address on your AP's web interface.
0
 

Expert Comment

by:AJODOHERTY
ID: 34897701
The first thing to do is, ascertain the MAC Address(s) of the device; the easiest way to do this, assuming that your network uses DHCP, is to check the Server hosting DHCP and obtain the MAC by cross referencing the IP address with the leased addresses (this should show the MAC address). Next, if you have managed Network switches, you should be able to log into these (maybe one switch at a time) and review the per port traffic - eventually, you will find the port that is servicing this MAC - finally trace the structured cabling to the culprit.

If you get stuck, let me know at which point and we'll try alternatives.

A
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now