You could resolve the mac and then search for it on your switches to tie it down to a port... depending on your switches of course.
Which worm is it? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 23 December 2004 16:30 To: [email protected] Subject: RE: [ActiveDir] worm (very very OT) we're a switched network. i'd have to go to every pc(500) and run it. i'm trying to avoid that. might as well run netstat -an on all pc's. ethereal won't tell me the real address. thanks -----Original Message----- From: Candee Vaglica [mailto:[EMAIL PROTECTED] Sent: Thursday, December 23, 2004 11:16 AM To: [email protected] Subject: Re: [ActiveDir] worm (very very OT) Use a network scanner, like Ethereal to monitor the traffic. On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom <[EMAIL PROTECTED]> wrote: > this is way off and i apologize but you guys are really knowledgable and such a great help, i thought i'd try here. > > i have a number of pc's infected with some wom that goes out on port 10000 tcp and tries to attemp a DOS attack. > > I don't know the worm and a google searched didn't really turn anything up. > > here's the thing. the worm uses a spoofed source address. my question is, is there anyway to track down a spoofed address internally to the real address? > > I don't know how to find the infected pc's. > > thanks > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ======================================================================= Scanned for virus infection by Messagelabs ======================================================================= List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
