A Windows administration puzzle

A friend brings up this quandary:

You're a low-rung system administrator for a university network. A machine somewhere is spewing a virus; you have its IP. You're instructed to find and patch it. How?

My friend assumed he had to find the hostname to know where it is. Most of us he spoke to being UNIXites, I suggested ping -a to do a DNS lookup (no, apparently it doesn't have a DNS name), and others suggested traceroute etc (no, he doesn't know the switches' IPs so that wouldn't help; do switches even have IPs that would show in a traceroute?). Another friend suggested smbclient -L if it's open for file sharing, and the querent hasn't responded to that yet.

Is there an easy answer we've missed?

4 comments

TrackBack

Listed below are links to weblogs that reference A Windows administration puzzle:

» The Virus-Laden Machine Hunters from Ron Lusk
Finding an infected PC on the network [Read More]

Tracked on November 18, 2003 10:43 AM

Comments

Andy

comment

Bah. Switches will have IP’s you can trace, hubs will not. If there are honest-to-Roxy switches between you and the bad computer, it should narrow the search.

I would also suggest using Windows (or a suitable NetBIOS system) to look it up ala: \255.255.255.0

Failing that, check the DNS tables for IP’s near that. They may be in a similar range/area.

Mark

comment

Yeah, he explained traceroute wouldn’t help because, although it would give him the switches’ IPs, he didn’t have a network map or anything to know where to find a machine connected to switch X. Most of us protested about that, really, but he was adamant (especially that he was disallowed from asking whoever there would know).

I told him I didn’t suppose accessing it as a UNC name (the \255.255.255.0 thing, right?) would work; I didn’t think the Windows UI exposes that. But maybe it does!

Will Cox

comment

He can find the name of the logged on user, the hostname, the domain name, and any other NetBIOS-registered services by asking the remote machine’s NetBIOS name cache. C:>nbtstat -a x.x.x.x

Ethernet: Node IpAddress: [x.x.x.x] Scope Id: []

NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- MYMACHINENAME UNIQUE Registered MYDOMAIN GROUP Registered MYMACHINENAME UNIQUE Registered MYMACHINENAME UNIQUE Registered MYUSERNAME UNIQUE Registered MAC Address = xx-xx-xx-xx-xx-xx