Home
Join
check
  • You don't say how large your network is.  If it's fairly small in one location, it should be easy enough to track it down by checking the MAC address against your switch MAC address tables. This will tell you which switch and which switch port its connected to.  You can find it's MAC address by pinging it and then correlating it by running arp -a in DOS.  

    As others have suggested, once you find which port its on, disable that port. 

    I also recommend running NMAP against that IP as someone suggested above to see if it returns information about operating system, open ports, etc.  You may even get usernames or profile information.  This can be useful. 

    Spice (21) flagReport
    Was this post helpful? thumb_up thumb_down
  • View Best Answer in replies below

    63 Replies

    • Get A MAC address. Can hunt it down that way! MAC address info will give manufacturer, etc...What about Spiceworks? Not showing the IP in the inventory? Should have all the info you need there?

      Spice (8) flagReport
      Was this post helpful? thumb_up thumb_down
    • Have you tried entering that IP address into a browser?

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • We should have a contest about what it is and why it's there!  My guess?  "Um, I couldn't get a good wireless signal on my phone so I thought I'd bring this wireless router in from home."

      Spice (41) flagReport
      Was this post helpful? thumb_up thumb_down
    • Get a MAC, and if you're running a managed switch, you should be able to view the table and see what port it's coming across. 

      Spice (33) flagReport
      Was this post helpful? thumb_up thumb_down
    • Mercutio879 wrote:

      Get a MAC, and if you're running a managed switch, you should be able to view the table and see what port it's coming across. 

      And then disable that port.

      Spice (37) flagReport
      Was this post helpful? thumb_up thumb_down
    • Gary D Williams wrote:

      Mercutio879 wrote:

      Get a MAC, and if you're running a managed switch, you should be able to view the table and see what port it's coming across. 

      And then disable that port.

      And wait for the phone call asking why their Linksys doesn't work any more.

      Spice (55) flagReport
      Was this post helpful? thumb_up thumb_down
    • Mercutio879 wrote:

      Gary D Williams wrote:

      Mercutio879 wrote:

      Get a MAC, and if you're running a managed switch, you should be able to view the table and see what port it's coming across. 

      And then disable that port.

      And wait for the phone call asking why their Linksys doesn't work any more.

      And then go up ask them why the hell they brought the thing in/Installed DNS on their computer and then you remove their local admin and tell them to never do that again.

      Spice (19) flagReport
      Was this post helpful? thumb_up thumb_down
    • Gary D Williams wrote:

      Mercutio879 wrote:

      Gary D Williams wrote:

      Mercutio879 wrote:

      Get a MAC, and if you're running a managed switch, you should be able to view the table and see what port it's coming across. 

      And then disable that port.

      And wait for the phone call asking why their Linksys doesn't work any more.

      And then go up ask them why the hell they brought the thing in/Installed DNS on their computer and then you remove their local admin and tell them to never do that again.

      'The internet said it would make the internet go faster! Don't take it out! It'll slow down again!'

      Spice (11) flagReport
      Was this post helpful? thumb_up thumb_down
    • Unplug it and wait to see who yells that something is broke.

      Spice (3) flagReport
      Was this post helpful? thumb_up thumb_down
    • Mercutio879 wrote:

      Gary D Williams wrote:

      Mercutio879 wrote:

      Gary D Williams wrote:

      Mercutio879 wrote:

      Get a MAC, and if you're running a managed switch, you should be able to view the table and see what port it's coming across. 

      And then disable that port.

      And wait for the phone call asking why their Linksys doesn't work any more.

      And then go up ask them why the hell they brought the thing in/Installed DNS on their computer and then you remove their local admin and tell them to never do that again.

      'The internet said it would make the internet go faster! Don't take it out! It'll slow down again!'

      Time for a serious desk visit and chat.

      Spice (4) flagReport
      Was this post helpful? thumb_up thumb_down
    • Might also be worth running NMAP against it and see if there is anything that returns to help you ID what sort of device it is (be it a Windows PC or some flavour of linux or embedded device).

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • Stipman wrote:

       I want to see what zones its hosting etc.

      Serious question but why do you care what it is hosting?

      It's not a DNS server under the IT depts control so it shouldn't be there.

      Kill it. Kill it with fire.

      Spice (20) flagReport
      Was this post helpful? thumb_up thumb_down
    • You don't say how large your network is.  If it's fairly small in one location, it should be easy enough to track it down by checking the MAC address against your switch MAC address tables. This will tell you which switch and which switch port its connected to.  You can find it's MAC address by pinging it and then correlating it by running arp -a in DOS.  

      As others have suggested, once you find which port its on, disable that port. 

      I also recommend running NMAP against that IP as someone suggested above to see if it returns information about operating system, open ports, etc.  You may even get usernames or profile information.  This can be useful. 

      Spice (21) flagReport
      Was this post helpful? thumb_up thumb_down
    • cant this be blocked via firewall rule?

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • Gary D Williams wrote:

      Stipman wrote:

       I want to see what zones its hosting etc.

      Serious question but why do you care what it is hosting?

      It's not a DNS server under the IT depts control so it shouldn't be there.

      Kill it. Kill it with fire.

      Squash it like a bug.  Might as well nail the user too.  Like Joe Pesci.

      https://www.youtube.com/watch?v=L8Vou7yK4e8


      Spice (3) flagReport
      Was this post helpful? thumb_up thumb_down
    • Thanks for all the suggestions.  I have, in fact. gotten the MAC address and will be working with the networking team to identify and disable the port. I'm actually consulting to a fairly large local government  with lots of different locations and discovered this DNS server in the correctional center (which may or may not explain some of their DNS resolution issues!)  Going to kill the port and see who calls.  Will definitely do an NMAP and see what turns up.  Based on it listening on 3389 I'm guessing its a Windows Box. I would love to get hands on the physical box but the location makes it a bit more difficult than usual to track down.

      Spice (8) flagReport
      Was this post helpful? thumb_up thumb_down
    • it's probably one of the dedicated computers used to communicate with the state.  Good luck with that.  In my state you can't touch a law enforcement computer without a complete background check.  I gotcha background check right here!

      Was this post helpful? thumb_up thumb_down
    • Stipman wrote:

      Thanks for all the suggestions.  I have, in fact. gotten the MAC address and will be working with the networking team to identify and disable the port. I'm actually consulting to a fairly large local government  with lots of different locations and discovered this DNS server in the correctional center (which may or may not explain some of their DNS resolution issues!)  Going to kill the port and see who calls.  Will definitely do an NMAP and see what turns up.  Based on it listening on 3389 I'm guessing its a Windows Box. I would love to get hands on the physical box but the location makes it a bit more difficult than usual to track down.

      Ok, rogue networking equipment in a correctional facility is more than a minor problem. A fire needs to be lit under the network guys to locate and kill the thing.
      Spice (3) flagReport
      Was this post helpful? thumb_up thumb_down
    • Stipman wrote:

      Thanks for all the suggestions.  I have, in fact. gotten the MAC address and will be working with the networking team to identify and disable the port. I'm actually consulting to a fairly large local government  with lots of different locations and discovered this DNS server in the correctional center (which may or may not explain some of their DNS resolution issues!)  Going to kill the port and see who calls.  Will definitely do an NMAP and see what turns up.  Based on it listening on 3389 I'm guessing its a Windows Box. I would love to get hands on the physical box but the location makes it a bit more difficult than usual to track down.

      Go through the background check and get into the prison.  It is nothing to be scared of, seriously I know. I was a prison guard for the State of Missouri for 6 years.  Once you see harden felons get on chairs and scream because of a mouse or snake, it really does take their intimidation factor away from them. I killed said mouse and threw it away.  I gained their respect for doing that.  I was just laughing the whole time. 

      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • Well, we know how it got into the correctional center!!

      http://www.liveleak.com/view?i=62b_1434333678

      Add this to the issues of a guard helping inmates escape. How many boxes of cigs to buy a windows PC in the prison black market?

      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • If you have a Mac get IP Scanner pro. Very useful in tracking rough devices. It will try to pull device info such as brand, MAC, Manufacture, etc.

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • I've been in the CC several times (all work related!)  I know they have a few independent systems that are not under IT department control (internal investigations, WesLaw for the "guests" etc)  will follow up with the powers that be and find out if this Windows domain is authorized or if its someone's sandbox.  NMAP was the key that revealed more detail.

      Thanks all!

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • it is possible that it is a Windows server setup for some obscure reason that made sense at the time.

      The Linksys router was a good guess thoguh

      Was this post helpful? thumb_up thumb_down
    • Stipman wrote:

      Thanks for all the suggestions.  I have, in fact. gotten the MAC address and will be working with the networking team to identify and disable the port. I'm actually consulting to a fairly large local government  with lots of different locations and discovered this DNS server in the correctional center (which may or may not explain some of their DNS resolution issues!)  Going to kill the port and see who calls.  Will definitely do an NMAP and see what turns up.  Based on it listening on 3389 I'm guessing its a Windows Box. I would love to get hands on the physical box but the location makes it a bit more difficult than usual to track down.

      If it's listening on 3389, that's Remote Desktop.  I would try connecting to it and see what comes up.  In a DOS window type mstsc /v:(IP address)

      I would also browse its C: drive by UNC path.  \\(IP address)\C$  This can give you all sorts of clues. 

      Spice (10) flagReport
      Was this post helpful? thumb_up thumb_down
    • get mac and track is down via arp pings to find out what switch ports it is on

      Was this post helpful? thumb_up thumb_down
    • Trace it back to the last switch. Hook up an AC plug to all 8 leads of a regular RJ45 wall jack. Plug in. Wait for smoke and screams.

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • Stipman wrote:

      I've been in the CC several times (all work related!) ..

      ME TOO!! How long was your last stretch?
      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • What about a tracert to see if you can help narrow it down where it is located?

      Spice (3) flagReport
      Was this post helpful? thumb_up thumb_down
    • In regards to the pictures that was chosen for this article, did anyone else automatically think RoguePacket?

      Spice (14) flagReport
      Was this post helpful? thumb_up thumb_down
    • Bud G. wrote:

      In regards to the pictures that was chosen for this article, did anyone else automatically think RoguePacket?

      right behind you on that...I bet you have roguepacket running as a DNS server somewhere. He'll have to come out for bacon sometime???

      Was this post helpful? thumb_up thumb_down
    • But, but wasn't me!!

      .

      Sounds like it has been resolved.  There are many tools to pursue this, and some to consider for the future.  Immediate ones are Cisco port security, Wireshark, and NAC.  Guess there is a rogue DHCP server passing the inappropriate DNS advertisements.  Good times.

      Spice (3) flagReport
      Was this post helpful? thumb_up thumb_down
    • That is really very possible. Has encountered it before, especially when you have unmanaged switches and those adhoc network switches which offices like to use to "extend" its network points during staff expansion, as to them its a shortcut without having to worry about cascading more network switches at the server rack.

      Was this post helpful? thumb_up thumb_down
    • My reply is in response to Sid Phillips about possibility of a wireless router brought by the staff themselves.

      Was this post helpful? thumb_up thumb_down
    • Bud G. wrote:

      In regards to the pictures that was chosen for this article, did anyone else automatically think RoguePacket?

      First thing I thought of.

      Was this post helpful? thumb_up thumb_down
    • Todays network forecast, cloudy with a chance of banhammer.

      Spice (7) flagReport
      Was this post helpful? thumb_up thumb_down
    • get lanspy to scan that ip address http://lantricks.com/lanspy/

      Was this post helpful? thumb_up thumb_down
    • Maybe one of the correctional facility "guests" is studying for an IT cert =P

      Was this post helpful? thumb_up thumb_down
    • Bud G. wrote:

      In regards to the pictures that was chosen for this article, did anyone else automatically think RoguePacket ?


      I thought of HAL when Dave Bowman was trying to shut it down.
      Was this post helpful? thumb_up thumb_down
    • JonnyPnemonic wrote:

      Maybe one of the correctional facility "guests" is studying for an IT cert =P

      The prison I worked at for the State of Missouri, Northeast Correctional Center, actually has a vo-tech program for the inmates in which they take computers refurbish them and then they give them to local schools.  They are able to get their A+ Cert through the program.  Which I know isn't much but for someone with no IT background and maybe has had a hard life with not too many opportunities it can be a life changer. 

      Spice (6) flagReport
      Was this post helpful? thumb_up thumb_down
    • Sid Phiilips wrote:

      We should have a contest about what it is and why it's there!  My guess?  "Um, I couldn't get a good wireless signal on my phone so I thought I'd bring this wireless router in from home."

      LOL.  Had this one last week!  It was divvying out IPs via DHCP (in scope!) with itself as the default gateway as we returned from a power outage - before our authorized DHCP server came up fully.  I used ping and ARP to track it down initially, then show-mac-address table on my cisco switches to find the switch port... traced that back through the patch panel to the office data jack map and voila! Rogue wireless router and doe-eyed user discovered!
      Spice (4) flagReport
      Was this post helpful? thumb_up thumb_down
    • TheGlaz wrote:

      Sid Phiilips wrote:

      We should have a contest about what it is and why it's there!  My guess?  "Um, I couldn't get a good wireless signal on my phone so I thought I'd bring this wireless router in from home."

      LOL.  Had this one last week!  It was divvying out IPs via DHCP (in scope!) with itself as the default gateway as we returned from a power outage - before our authorized DHCP server came up fully.  I used ping and ARP to track it down initially, then show-mac-address table on my cisco switches to find the switch port... traced that back through the patch panel to the office data jack map and voila! Rogue wireless router and doe-eyed user discovered!

      I'm not sure if Cisco has this, but HP has a feature called DHCP-snooping on some of their switches, only allows authorized DHCP servers to hand out addresses from authorized ports and then blocks everything else. Really simple to turn on and implement.
      Spice (4) flagReport
      Was this post helpful? thumb_up thumb_down
    • Thats a delivery of dinner to the Tower guard. 

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • Interested to see how this turns out. Please update when this is resolved.

      Spice (3) flagReport
      Was this post helpful? thumb_up thumb_down
    • Windows box with no credentials?

      If no firewall, run: \\ipaddress\c$ Browse into users and find out who's profile exists.

      If you do need credetials and it's on the domain, use your domain admin credentials.

      Was this post helpful? thumb_up thumb_down
    • Can you ping, resolving by DNS to see if you recognise the naming convention as what would be a server?

      Maybe run AD info tools by Machine to see what its at

      Was this post helpful? thumb_up thumb_down
    • Also, what is the main concern?  Unless someone is pointing to that DNS server - how is it negatively affecting anything?

      Was this post helpful? thumb_up thumb_down
    • And then disable the Mac ;)

      -M

      Was this post helpful? thumb_up thumb_down
    • lol, it can't be blocked via a firewall rule, but really if your network is setup properly it shouldn't be a problem at all as clients wouldn't be requesting from it.

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • Sid Phiilips wrote:

      We should have a contest about what it is and why it's there!  My guess?  "Um, I couldn't get a good wireless signal on my phone so I thought I'd bring this wireless router in from home."

      Been there, done that, educated the user. Apparently keelhauling is frowned upon though, so he got off lightly. 

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down

    Read these next...

    • Snap! Maggie malware, Bring Your Own Driver, Win11 remote desktop issues, & more

      Snap! Maggie malware, Bring Your Own Driver, Win11 remote desktop issues, & more

      Spiceworks Originals

      Your daily dose of tech news, in brief. Welcome to Thursday, October 6, 2022. If we roll back the calendar 39 years to 1983, today is the day that it went public after recording revenues of $12.8 million for the previous 12 months. It was over a de...

    • What does your IT team use for password management?

      What does your IT team use for password management?

      Security

      I use BitWarden for my own personal password management and it's fantastic. In the past, I've used a handful of different password managers in the workplace, including KeePass v2​, Secret Server​, LastPass​, and even just *cough* Excel.... 🥸Currently, we'...

    • Upgrade Exchange 2013 to Exchange 2019

      Upgrade Exchange 2013 to Exchange 2019

      Collaboration

      As the  Exchange 2013 is going to be end of life in April 2023, we will be upgrading / migrating our current setup to Exchange 2019.We are currently using MS Exchange 2013 Standard CU23 with Latest SU. We have 2 CAS servers in NLB and 4 Mailbox servers in...

    • Spark! Pro series - 6th October 2022

      Spark! Pro series - 6th October 2022

      Spiceworks Originals

      Today in History: 1866 -  The Reno brothers carry out the first train robbery in U.S. history On October 6, 1866, the brothers John and Simeon Reno stage the first train robbery in American history, making off with $13,000 from an Ohio and Mississ...

    • IT Site -Network Survey Tools

      IT Site -Network Survey Tools

      Software

      Hello,Need advice on any free forms or software to use to assist in doing IT site surveys of small business 50 users max with 4 different locations.Any not so expensive software that you have used let me know. We will be going onsite to each site first ti...