machine named "ubuntu" has shown up somewhere on our network

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
A machine named "ubuntu" has shown up on our network and I don't know where it came from. I'm not _too_ worried about it, but I would like to figure out more about the machine, particularly it's location. Our users are not supposed to make changes to the computers configuration and they are not supposed to bring in outside computers.

So anyway, I'm too worried about an Ubuntu machine being on our network (we have a couple Ubuntu servers, anyway) but I would like to be able to find any information that can help find who is breaking the rules. Any ideas?
 

drag

Elite Member
Jul 4, 2002
8,708
0
0
How do you know 'ubuntu' is on your network?
I assume that it's showing up as a host for a SAMBA server/share on your file and print server network?

If so I'd probably then use nmblookup to map it to a ip address. Then use nmap to do a stealthy scan of the computer. If I wanted to be extra sneaky I'd find out what network segment it's on and then use wireshark to do a dump of it's network traffic and then try to figure out what it's up to. (you can use "poisoned arp" techniques to sniff on a switched network if you have to.)

Also I would use kismet to detect any sort of wireless access points people have snuck into your network. I'd have to leave it running for a while and then do it different parts of the building to make sure that people aren't trying to escape detection by 'cloaking' their ssid broadcasts by disabling them.
 

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
Originally posted by: drag
How do you know 'ubuntu' is on your network?

Actually it showed up in our firewall logs from yesterday. And it looks like all they did was browse the ubuntu website.

I'll check out nmap.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Tracking down things like this is a PITA, can you get their MAC and get one of the networking guys to track down which port that MAC's using?
 

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
Originally posted by: Nothinman
Tracking down things like this is a PITA, can you get their MAC and get one of the networking guys to track down which port that MAC's using?

I'm also the networking guy. Basically any problem that takes more than a reboot to fix comes to me :D (or maybe :()

Originally posted by: arcas
Could be that one of your users booted a Ubuntu LiveCD.

Yeah, I verified with my own LiveCD that it does give a hostname of ubuntu. And it's gone from our network now (not even pingable). So my guess is someone was just playing around with a LiveCD which is probably going to be impossible to find now that it's gone.
 

skyking

Lifer
Nov 21, 2001
21,852
4,524
146
Originally posted by: Brazen
Originally posted by: Nothinman
Tracking down things like this is a PITA, can you get their MAC and get one of the networking guys to track down which port that MAC's using?

I'm also the networking guy. Basically any problem that takes more than a reboot to fix comes to me :D (or maybe :()

Originally posted by: arcas
Could be that one of your users booted a Ubuntu LiveCD.

Yeah, I verified with my own LiveCD that it does give a hostname of ubuntu. And it's gone from our network now (not even pingable). So my guess is someone was just playing around with a LiveCD which is probably going to be impossible to find now that it's gone.

Should be a way to figure it out with the MAC address of the network adapter. If it was a live CD boot, it will not likely modify that bit of info.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Should be a way to figure it out with the MAC address of the network adapter. If it was a live CD boot, it will not likely modify that bit of info.

No doubt but depending on your network layout and equipment narrowing that down to a port can be a huge PITA.
 

drag

Elite Member
Jul 4, 2002
8,708
0
0
Well...

If you know their IP address and your using routers and you have your network properly orginized then you should be able to determine just by knowing the ip address what paticular network segment they are located on.

You should have the network divided up into logical subnets to help orginize everything and keep the network efficient. Then have all that stuff documented somewere for easy recollection.

Then armed with that knowledge you could of probably then possibly done something like hooked up a serial connection (or telnet'd if you don't have it setup for security) to your router and then examined the arp cache to see what IP address corrisponded with what MAC address.

Then if you have intellegent switches with their own administrative interfaces you could look at that and determined what MAC address was connected to what port.

Or if the machine was configured using DHCP you could look at your DHCP server and found out what it assigned what IP to what MAC address that way. I suppose most DHCP servers keep a cache of assigments so that they can keep assigning the same addresses to the same machine, for convience sakes. Or if your lucky the dhcp server logs that sort of thing.

Except for good dhcp logs this sort of information is the sort of thing that can dissappear after a short time. Kinda have to catch them in the act.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
If you know their IP address and your using routers and you have your network properly orginized then you should be able to determine just by knowing the ip address what paticular network segment they are located on.

You should have the network divided up into logical subnets to help orginize everything and keep the network efficient. Then have all that stuff documented somewere for easy recollection.

Yea, because all corporate networks are laid out in a logical fashion and completely documented...
 

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
Originally posted by: Nothinman
<div class="FTQUOTE"><begin quote> If you know their IP address and your using routers and you have your network properly orginized then you should be able to determine just by knowing the ip address what paticular network segment they are located on.

You should have the network divided up into logical subnets to help orginize everything and keep the network efficient. Then have all that stuff documented somewere for easy recollection. </end quote></div>

Yea, because all corporate networks are laid out in a logical fashion and completely documented...

Yes, "should" is a very strong word. Unfortunately this network was set up long before I got here. One day I hope to have the time to reorganize it.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Yes, "should" is a very strong word. Unfortunately this network was set up long before I got here. One day I hope to have the time to reorganize it.

Good luck with that, everyone that I know who's in charge of a network says the exact same thing. =)
 

skyking

Lifer
Nov 21, 2001
21,852
4,524
146
Originally posted by: Nothinman
<div class="FTQUOTE"><begin quote> Yes, "should" is a very strong word. Unfortunately this network was set up long before I got here. One day I hope to have the time to reorganize it. </end quote></div>

Good luck with that, everyone that I know who's in charge of a network says the exact same thing. =)

I have a few old notebooks with the relevant data, ports, MAC addy, physical locations. I keep lying about making a nice .txt to keep on the servers:p
 

TSDible

Golden Member
Nov 4, 1999
1,697
0
76
If it was a live CD, couldn't you get the MAC address from that connection in the log and block it's access?

Then, just wait for the person to call you to figure out why their computer isn't working...

:)
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
If it was a live CD, couldn't you get the MAC address from that connection in the log and block it's access?

Then, just wait for the person to call you to figure out why their computer isn't working...

He said that it's already gone so if it was a LiveCD they've already rebooted back into whatever OS was on there before so blocking the MAC at the DHCP server will work but it won't be noticed until the current lease expires.