SPIRAXADMIN
asked on
Rogue machine on network
I'm chasing down a virus outbreak on my network. I've got 1 machine out there that I know is infected, but no one knows what it is or where it is. I know it is in our corporate offices, it's name and it's IP address, but that is it. I've completed a physical inventory, but our offices are large and it would be very easy to miss a machine that wasn't where it was supposed to be. For instance, it could be stuck in the back of an electrical closet, under a desk or something like that. It doesn't appear to be part of my domain, so I can't remotely shut it down. Does anyone have any ideas how to find it or to shut it down? Any help would be GREATLY appreciated. THX
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
edbedb
If you have the MAC address you might be able to screen it from the network with the router or something. Somebody is bound to complain about losing their connection.
Two ways that spring to mind. If you have local admin rights to all your machines on the network.
Do a remote shutdown
1: Windows XP Detailed below.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysprop_to_perform_a_remote_reboot.mspx?mfr=true
2: If your network is properly documented and you have managed switches you could ask your network engineer to tell you which switch the IP is located at and on what port. From there is the more interesting task of following patch leads and then to the floor patch reference.
If you've got the IP and Computer Name can you find the MAC address of the device?
If so you can create a reservation in DHCP and assign it an address that won't route anywhere on your network, like 127.0.0.1 or something like that.
If you've got managed switches that each work within a specific subnet that should narrow your search down, and then you can find what port on the switch the device is connected to and physically disconnect it. If your cabling is well labeled that might also tell you the location where the device is connected.
If it's on the wireless you should be able to narrow it down to a specific AP that it's connected to. Likewise you can probably ban a specific mac address on your AP's web interface.
If so you can create a reservation in DHCP and assign it an address that won't route anywhere on your network, like 127.0.0.1 or something like that.
If you've got managed switches that each work within a specific subnet that should narrow your search down, and then you can find what port on the switch the device is connected to and physically disconnect it. If your cabling is well labeled that might also tell you the location where the device is connected.
If it's on the wireless you should be able to narrow it down to a specific AP that it's connected to. Likewise you can probably ban a specific mac address on your AP's web interface.
The first thing to do is, ascertain the MAC Address(s) of the device; the easiest way to do this, assuming that your network uses DHCP, is to check the Server hosting DHCP and obtain the MAC by cross referencing the IP address with the leased addresses (this should show the MAC address). Next, if you have managed Network switches, you should be able to log into these (maybe one switch at a time) and review the per port traffic - eventually, you will find the port that is servicing this MAC - finally trace the structured cabling to the culprit.
If you get stuck, let me know at which point and we'll try alternatives.
A
If you get stuck, let me know at which point and we'll try alternatives.
A