That's what I meant. ;) Thanks, Roger.
On Thu, 23 Dec 2004 10:59:56 -0800, Roger Seielstad <[EMAIL PROTECTED]> wrote: > The way to track this down it so network scan on your egress router's > interface. It should be relatively trivial to filter for the traffic based > on destination port, and that will give you the MAC address of the sender > (that is VERY much harder to spoof - not impossible, but a heck of a lot > harder). > > >From that, you can look at the ARP table of the router and the MAC address > will be there from the *valid* traffic the machine is doing. You can > guarantee that by ping sweeping the LAN, just in case. Then you're just > matching MAC to MAC and you get the right IP address. > > Heck, I think there's perl code that will do most of that for you - I know > we've got a MAC hunter app at work that does something similar to this to > find the name of machines when all we have is a MAC address. > > -------- > Roger Seielstad > E-mail Geek & MS-MVP > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > > Sent: Thursday, December 23, 2004 8:30 AM > > To: [email protected] > > Subject: RE: [ActiveDir] worm (very very OT) > > > > we're a switched network. i'd have to go to every pc(500) and > > run it. i'm trying to avoid that. might as well run netstat > > -an on all pc's. > > > > ethereal won't tell me the real address. > > > > thanks > > > > -----Original Message----- > > From: Candee Vaglica [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 23, 2004 11:16 AM > > To: [email protected] > > Subject: Re: [ActiveDir] worm (very very OT) > > > > > > Use a network scanner, like Ethereal to monitor the traffic. > > > > > > On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom > > <[EMAIL PROTECTED]> wrote: > > > this is way off and i apologize but you guys are really > > knowledgable and such a great help, i thought i'd try here. > > > > > > i have a number of pc's infected with some wom that goes > > out on port 10000 tcp and tries to attemp a DOS attack. > > > > > > I don't know the worm and a google searched didn't really > > turn anything up. > > > > > > here's the thing. the worm uses a spoofed source address. > > my question is, is there anyway to track down a spoofed > > address internally to the real address? > > > > > > I don't know how to find the infected pc's. > > > > > > thanks > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
