Problem solve Get help with specific problems with your technologies, process and projects.

Identifying an infected server

We are a small ISP using a back office provider for e-mail. We have DSL using bridged ethernet with dynamic IP addresses. We do not have the MAC addresses of our users. We have noticed that a customer at one of our IP addresses has the Red worm on a server he is using. How do we find him?

You should be using some form of I&A with your DHCP server that allocates your dynamic addresses. You then need to correlate the IP addresse being used by the CodeRed worm with your DHCP logs to determine the customer with which you are having problems.

If you do not have any I&A before allocating an IP address, or no logs to associate who was given which IP address at what times, you have bigger security problems than just one customer infected with CodeRed.

This was last published in September 2001

Dig Deeper on Web Server Threats and Countermeasures

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.