Q

Identifying an infected server

We are a small ISP using a back office provider for e-mail. We have DSL using bridged ethernet with dynamic IP addresses. We do not have the MAC addresses of our users. We have noticed that a customer at one of our IP addresses has the Red worm on a server he is using. How do we find him?


You should be using some form of I&A with your DHCP server that allocates your dynamic addresses. You then need to correlate the IP addresse being used by the CodeRed worm with your DHCP logs to determine the customer with which you are having problems.

If you do not have any I&A before allocating an IP address, or no logs to associate who was given which IP address at what times, you have bigger security problems than just one customer infected with CodeRed.


This was first published in September 2001

Dig deeper on Web Server Threats and Countermeasures

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close