Rouge PC

[Stringent]

Have found a rouge pc on our network which we can't work out what/where it is. Its picked up a DHCP IP address. Is there any way to narrow it down to which switch its on so we can go um, confiscate it.

[Jay]

if you have a cisco switch then go into the DHCP of your server and get its MAC address, log in to the switch and type sh mac-address-table.

This will give you all the MAC addresses and tell you what port its on.

[TiG]

You mean its red/pink in colour?

Not just cisco switches but pretty much all switches allow that.

TiG

[Jay]

I have only ever used Cisco managed switches so I didn't want to assume.

[peterb]

If its a red PC - it shoulod be obvious

How big a network you are talking about? Traceroute? Are the switches managed?

[Stringent]

Most are managed. its a medium sized network. We have a mix at the moment. Have a Linksys SRW2048 which is where I'll start from, when we get into the switch cabinets elsewhere we have 3COM 4400.

[Jay]

I once had a problem like this and could not find the system. After a few weeks I found out that some one was bringing in their laptop from home, plugging it into the network to get updates.

[UltraMagnus]

why does it matter? really?

[Jay]

becuase you need to know what is going on at all times. What if this system starting mass mailing due to a security issue and you didn't know where it was located to shut it down and pull it?

[peterb]

why does it matter? really?

Because that unknown computer represents a major risk to the network security through virus or other malware, either accidentally or deliberately imported. It is also an export path for corporate data (which may or may not be an issue - it depends what other export controls are in place).

[Mossy]

it would be nice to know hte outcome good luck

[chuckskull]

I've heard a few stories like this, one ending a room that had been closed up during building work and the PC's never removed.

One solution I heard was to shut down all the other PC's remotely and go looking for one that was left on, obviously not possible on all networks/machines. If you have any kind of sleep/wake on lan, it should work.

[Stringent]

I'll need to find a laptop with a COM port so I can hook up to the switches. All the new ones don't have one! Also the Web interface on switches are useless for finding out such info.

Have got the MAC address, and have set a reservation for it so it gets all the wrong IP info. If someone comes running up, I'll soon suss it.

[Jay]

I once found a node and full patch panel that wasn't on the plans. Quite a shock I can tell you.

can you not telnet to the switches?