[Gllug] Someone is using the broadcast address!!
Hong Chyr
hongchyr at yahoo.co.uk
Sat Oct 13 01:43:37 UTC 2007
Thanks guys for your suggestions and answers. I guess all that's left to
do is disinfect the machines one by one and isolate them until the
network is clean.
Cheers
Hong
John Winters wrote:
>> Hi Rich
>>
>> Thanks for the reply. Tried your suggestion. In fact, we just found out
>> that the IP address is the network's broadcast address (netmask =
>> 255.255.252.0).
>>
>> Is there a way to stop or isolate the virus from making use of the
>> broadcast mechanism?
>>
>
> Not really.
>
> If small interruptions to network service are acceptable then you could do
> a binary search to find the culprit.
>
> Assuming that you know the topology of your network, find a point near the
> middle and break the network at that point. One side will now see the
> problem and the other won't, so you've narrowed it down to half your
> machines.
>
> Repeat to further halve the number of suspect machines.
>
> Once you narrow it down to one particular switch or hub (and a binary
> search will get you here very quickly), then unplug the machines one by
> one until you find the culprit.
>
> HTH
> John
>
>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list