Solved

Network/Security locate rogue device

Posted on 2011-09-15
7
413 Views
Last Modified: 2012-05-12
We are trying to find a device on our network. Symantec endpoint management is telling us that a device doesn't have antivirus. All it gives us is the IP and the MAC address.
I cannot ping, telnet, RDP/VNC or connect to the device via the web browser.
Knowing the mac address I connected to the switch of the segment it was on and ran the command #show Mac-address-table. The output displayed the macs of all devices connected to the switch however this device's mac address didn't seem to appear.
I'm at a loss as to what to try next.
The device mac address shows that it is a Phoebe Micro Inc. device.

Any help would be greatly appreciated.
0
Comment
Question by:edalzell
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:mbkitmgr
ID: 36546607
1. I would 1st set a reservation for it IN DHCP, if it is acquiring an address, that way you will always know which IP you are hunting.

2. Plug in a laptop to the switch on which the rogue device is connected, open a command prompt and use "ping ipaddress -t" to the rogue's address
 
3.  Progressively disconnect / reconnect connections at the switch until you find the port on which the rogue is connected to.

4. use your LAN cabling map to id where the cable that port serves goes to.

5. Grab your softball bat and go pay em a visit :)
0
 

Author Comment

by:edalzell
ID: 36546775
Thanks, I'll give it a try and report back! :-)
0
 

Author Comment

by:edalzell
ID: 36546810
Quick question..... when our symantec endpoint management tells us about the device, we are unable to PING it. No sure if the device has ICMP turned off? Must have.... so, I think PING is out of the question. (looks likeit might be a wireless access point...)

I've done a NMAP scan... results attached.

SEPM report...
Computer Detected without Symantec Client Software
IP Address MAC
192.168.50.50 00-21-2f-2f-ab-6d

Any thoughts? :-)
Clipboard01.jpg
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 

Author Comment

by:edalzell
ID: 36546813
Note - not sure what the remark about 'system route' means. That just referring to the fact the there's no connectivity? Thx!
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 36546983
Phoebe products appear to be used in AirLink products like wireless cameras, wireless routers, wireless access points, etc.

If it's a wireless access point and your environment isn't TOO clogged with signals then you might use a reasonable monitoring program to find the signal, etc.
0
 
LVL 5

Accepted Solution

by:
mbkitmgr earned 500 total points
ID: 36547005
We need to determine what type of device.

Q1 - is the machine getting an IP via DHCP (Check in dhcp to see if the reservation is active)
It is possible the device isnt currently connected, and has shown up some time earlier.  if it is getting an IP via DHCP, then above will tell you if its on now.

Q2 - Go to your server and do an arp -a to see if it exists in its arp table.  This may help determine if the device has active sessions with the server.  If it is in the arp table.

Q3 - if you can, check for any sessions in "Computer Management\Shared Folders\Sessions"  Look to see iof that IP has an open file or a connection to a share.  With a bit of luck a username will be shown too.

Q4 - if you cant find it, at least make it hard for the device to connect to resources.  I'd block the IP at the Internet Firewall, and on the server firewall.  Without access to these it certainly limits the resources a rogue device can access.
0
 

Author Closing Comment

by:edalzell
ID: 36709431
Great suggestions... although sad to report, the device seems to have disappeared. :-(

Thanks for the great input!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

"Oh crap. I think we've been hacked." That's the last sentence you ever want to hear from your IT guy, and the last sentence you ever want to have to say to your customers and clients. The fact is, hackers are everywhere. They are out there doing…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now