Ask the Expert

Identifying an infected server

We are a small ISP using a back office provider for e-mail. We have DSL using bridged ethernet with dynamic IP addresses. We do not have the MAC addresses of our users. We have noticed that a customer at one of our IP addresses has the Red worm on a server he is using. How do we find him?


    Requires Free Membership to View

You should be using some form of I&A with your DHCP server that allocates your dynamic addresses. You then need to correlate the IP addresse being used by the CodeRed worm with your DHCP logs to determine the customer with which you are having problems.

If you do not have any I&A before allocating an IP address, or no logs to associate who was given which IP address at what times, you have bigger security problems than just one customer infected with CodeRed.


This was first published in September 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: