William Brannon
asked on
Locating IP address origin.
Can someone help me determine how to find out where the IP address of 10.1.1.115 lives on my network. It appears to be a webpage. I'd like to turn it off with the abillity to turn it back on, then see if anyone complains that they are missing something
Message meets Alert condition
Virus/Worm detected: HTML/Framer.INF!tr Protocol: "HTTP" Email Address From: Email Address To:
VIRUS REFERENCE URL: http://www.fortinet.com/ve?vn=HTML%2FFramer.INF%21tr
date=2019-08-02 time=09:04:13 devname=FG-Corporate devid=FG100D3G14808552 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1564751053 msg="File is infected." action="blocked" service="HTTP" sessionid=106413455 srcip=10.1.1.115 dstip=208.91.196.145 srcport=49975 dstport=80 srcintf="lan" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" policyid=92 proto=6 direction="incoming" quarskip="File-was-not-qua rantined." virus="HTML/Framer.INF!tr" dtype="Virus" ref="http://www.fortinet.com/ve?vn=HTML%2FFramer.INF%21tr" virusid=8054799 url="http://ww1.useyourinterface.com/" profile="default" agent="Mozilla/5.0" analyticscksum="0a449968f2 e6c0c358ce cf9365b940 4139973592 6a25573e1e 37fbdb4e74 1f05" analyticssubmit="false" crscore=50 crlevel="critical"
Message meets Alert condition
Virus/Worm detected: HTML/Framer.INF!tr Protocol: "HTTP" Email Address From: Email Address To:
VIRUS REFERENCE URL: http://www.fortinet.com/ve?vn=HTML%2FFramer.INF%21tr
date=2019-08-02 time=09:04:13 devname=FG-Corporate devid=FG100D3G14808552 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1564751053 msg="File is infected." action="blocked" service="HTTP" sessionid=106413455 srcip=10.1.1.115 dstip=208.91.196.145 srcport=49975 dstport=80 srcintf="lan" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" policyid=92 proto=6 direction="incoming" quarskip="File-was-not-qua
You could use the ARP tables to track which port it is plugged into. (or if you have a good inventory that includes the MAC)
Robert hit the nail on the head. Especially if you have managed switches, this shouldn't be too bad. Also, is that IP static or dynamic?
You can get Advanced IP Scanner (free from Famatech) . That will list IP addresses and computer names. So that may also help you.
ASKER
Googling what I can about the ARP command. It doesn't appear that it will give me device name, correct?
What type of switches do you have? ARP tables will let you know the port on a switch where a particular MAC address can be found (which you could shut down without having to physically locate the device). If the device/system got its IP via DHCP, then you will be able to see its MAC address. You may be able to get IP info also. Depends on what you have on your network....
Using a program like Angry IP Scanner will let you scan the entire subnet and it will try to look up the machine name. That may or may not help. Worth a shot.
Internal DNS would let you match up a machine name w/ an IP address.
Using a program like Angry IP Scanner will let you scan the entire subnet and it will try to look up the machine name. That may or may not help. Worth a shot.
Internal DNS would let you match up a machine name w/ an IP address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
another thing you could to to get the MAC is check you DHCP tables for the IP assignment and look for the MAC that is associated
Did you try the suggestions above and included the IP Scanner referenced?
ASKER
I think Robert should also get some points for this solution as he originally set the direction for the solution. All of the information was helpful. Thanks for your help.