The way to track this down it so network scan on your egress router's interface. It should be relatively trivial to filter for the traffic based on destination port, and that will give you the MAC address of the sender (that is VERY much harder to spoof - not impossible, but a heck of a lot harder).
>From that, you can look at the ARP table of the router and the MAC address will be there from the *valid* traffic the machine is doing. You can guarantee that by ping sweeping the LAN, just in case. Then you're just matching MAC to MAC and you get the right IP address. Heck, I think there's perl code that will do most of that for you - I know we've got a MAC hunter app at work that does something similar to this to find the name of machines when all we have is a MAC address. -------- Roger Seielstad E-mail Geek & MS-MVP > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Thursday, December 23, 2004 8:30 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] worm (very very OT) > > we're a switched network. i'd have to go to every pc(500) and > run it. i'm trying to avoid that. might as well run netstat > -an on all pc's. > > ethereal won't tell me the real address. > > thanks > > -----Original Message----- > From: Candee Vaglica [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 23, 2004 11:16 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] worm (very very OT) > > > Use a network scanner, like Ethereal to monitor the traffic. > > > On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom > <[EMAIL PROTECTED]> wrote: > > this is way off and i apologize but you guys are really > knowledgable and such a great help, i thought i'd try here. > > > > i have a number of pc's infected with some wom that goes > out on port 10000 tcp and tries to attemp a DOS attack. > > > > I don't know the worm and a google searched didn't really > turn anything up. > > > > here's the thing. the worm uses a spoofed source address. > my question is, is there anyway to track down a spoofed > address internally to the real address? > > > > I don't know how to find the infected pc's. > > > > thanks > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
