<div>Hi Rich</div> <div> </div> <div>Thanks for the reply. Tried your suggestion. In fact, we just found out that the IP address is the network's broadcast address (netmask = 255.255.252.0).</div> <div> </div> <div>Is there a way to stop or isolate the virus from making use of the broadcast mechanism?</div> <div> </div> <div>Hong<BR><BR><B><I>Richard Jones <rich@annexia.org></I></B> wrote:</div> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">On Fri, Oct 12, 2007 at 02:44:26PM +0800, Hong Chyr wrote:<BR>> I'm helping a friend troubleshooting this strange problem. He manages a <BR>> network that is extremely chaotic and virus ridden. One particular IP <BR>> address is identified as the major source of attack, 10.104.3.255. This <BR>> device is using the broadcast address and seem to be knocking on <BR>> everyone's doors to propagate worms.<BR>> <BR>> If we ping the address,
another IP address will respond in its place. <BR>> Question now is, how can we trace the IP to the machine? To add to the <BR>> difficulty, none of the switches are managed, ie, there's no packet <BR>> statistics to identify which port is flooding the network.<BR>> <BR>> Any ideas?<BR><BR>If you look in the arp table (/sbin/arp -an) can you map any of these<BR>IP addresses to a particular MAC address? If so then you should be<BR>able to work out the manufacturer of the machine / network card /<BR>device from the MAC address. I believe that nmap automates this.<BR><BR>Although the switches aren't managed, do any give any sort of MAC-to-<BR>port mapping?<BR><BR>How about looking at the lights on the switches to see which one<BR>is flashing the most?<BR><BR>Rich.<BR><BR>-- <BR>Richard Jones<BR><BR>-- <BR>Gllug mailing list - Gllug@gllug.org.uk<BR>http://lists.gllug.org.uk/mailman/listinfo/gllug<BR></BLOCKQUOTE><BR><p>
<hr size=1>
Yahoo! Answers - Get better answers from someone who knows. <a
href="http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU">Try
it now</a>.