Got a strange hacker problem on our network. 1

[Hexes]

Hey everyone,

I need some help. A few days ago I detected that one of our servers had an ip conflict when I moved the server to a new IP address I realized that if I ping the old IP address it still replies and I am 100% sure there is no physical or virtual server on that IP address.
I can't get any info from the IP address and I can't get rid of it.
I completely cut that network of from the internet by physically disconnecting it from the firewall only 9 servers connected on 2 switches no other connections but still the IP is there and pinging so one of the servers must be compromised and due to the complexity of the servers I can't shut them off to find the problem server.
My Question now is I can only ping it so far nothing else, how do I track it and get rid of it.
The server network is a mix of Windows, Linux and Virtual servers with Virtual servers running on them.
Any ideas or comments ware welcome and appreciated.

 

[hawkdaddy]

Until an expert chimes in with the correct answer:
Try entering in Windows Explorer \\<the ip number>

Where does that take you?
Is there an identifying file on the root drive?

 

[tlcscousin]

Or ping -a the_ip_address

 

[Noway2]

This is a sticky situation. You need to determine if there is a compromise and if so, take appropriate action. You say that you can't 'shut things off' to isolate it, but if you do have a true compromise you could have problems far beyond those of turning the machines off. You could have data loss, information theft, compromise of clients and other employee machines, etc.

At the same time, turning the machines off is probably not the best move as it could destroy the needed evidence to determine if there is a problem. You would be much better served to isolate each machine one at a time, either by unplugging or putting a firewall in front of it that only allows remote access from a trusted system while investigating.

You will want to look for any unusual processes, users, events, etc. How you go about this will depend on what machine is causing the problem (Windows versus Linux). It is also entirely possible that there is a simple configuration error or some other problem rather than a compromise. You will need to investigate to determine.

If you do have a compromise, there is some risk involved in that you could tip off the individual responsible by doing so, but you could try to port scan the IP to see what services it is running and what ports it has open. You could then try to telnet or ssh, or access the web server, or anything like that if it has these things available to get more information. Also try using nslookup to see if you get a host name back and look at your logs (DNS, DHCP, access lists, etc).

 

[Hexes]

Thanks for all the help I do appreciate it and I found the problem. It was indeed a cracker that got into a Windows Server and then set up a ssh link from our one linux server to the outside to a network with virtually no security so to be sure we closed all the open spots he left and reloaded the systems one by one making sure the linux firewalls where 100% in place on all systems. All is running well now and thanks again for the help and replies