[CLUE-Tech] Finding rogue IPs.
David Anselmi
anselmi at americanisp.net
Tue Nov 26 09:28:21 MST 2002
Jim Ockers wrote:
[...]
> A destructive (disruptive) test is one way to do this. Start by
> identifying which hub it's plugged into:
Thanks everyone for the good ideas. Jim's was what I went with when the
problem came back yesterday. Here's some more info.
The hubs (3com) have a console port on the back, but they require a
management module to be "managed". I'll have to plug in and see if the
port does anything without it. I've always wondered what you could do
with a managed hub, have to spend some time and see.
I did try Nessus first. I can't say I like it very much--doesn't seem
to say much about what it's doing. I should get nmap instead. When I
ran it I got ambiguous results (e.g. ssh and Win terminal server). But
I'm sure that leaving the original box running on the same IP didn't
help much (or does that matter since arp only maps to one MAC?)
The bad machine seems to be very good at stealing the IP. I would think
there would be some randomness to which box answers the arp request for
the IP first, but there doesn't seem to be.
I haven't tried disconnecting the drop or blocking the IP yet. I'd like
to find the culprit without announcing that I'm searching--it isn't any
of the admins so it may be someone doing something they shouldn't be.
I got lucky when searching for the port--2nd hub, 3rd port. The drop is
clearly numbered, but unfortunately it's not on our cable map. So it
may have been run after the rest of the offices were wired. Sigh. I
think I'll try sniffing for hints on who might be using the machine
before I starting tracing wires. Got to remember to switch the good
machine to a different IP first.
Thanks again for the good ideas.
Dave
More information about the clue-tech
mailing list