[CLUE-Tech] Finding rogue IPs.

[David Anselmi]

Jim Ockers wrote:
[...]

> A destructive (disruptive) test is one way to do this.  Start by 
> identifying which hub it's plugged into:

Thanks everyone for the good ideas.  Jim's was what I went with when the 
problem came back yesterday.  Here's some more info.

The hubs (3com) have a console port on the back, but they require a 
management module to be "managed".  I'll have to plug in and see if the 
port does anything without it.  I've always wondered what you could do 
with a managed hub, have to spend some time and see.

I did try Nessus first.  I can't say I like it very much--doesn't seem 
to say much about what it's doing.  I should get nmap instead.  When I 
ran it I got ambiguous results (e.g. ssh and Win terminal server).  But 
I'm sure that leaving the original box running on the same IP didn't 
help much (or does that matter since arp only maps to one MAC?)

The bad machine seems to be very good at stealing the IP.  I would think 
there would be some randomness to which box answers the arp request for 
the IP first, but there doesn't seem to be.

I haven't tried disconnecting the drop or blocking the IP yet.  I'd like 
to find the culprit without announcing that I'm searching--it isn't any 
of the admins so it may be someone doing something they shouldn't be.

I got lucky when searching for the port--2nd hub, 3rd port.  The drop is 
clearly numbered, but unfortunately it's not on our cable map.  So it 
may have been run after the rest of the offices were wired.  Sigh.  I 
think I'll try sniffing for hints on who might be using the machine 
before I starting tracing wires.  Got to remember to switch the good 
machine to a different IP first.

Thanks again for the good ideas.

Dave