Mailing List CGatePro@mail.stalker.com Message #97417
From: Brian Gibson <gibson_brian@wheatoncollege.edu>
Subject: Re: Tracking down an infected pc
Date: Thu, 05 Mar 2009 14:08:00 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Can you check your DHCP server logs to see the new IP address that system has now? That might help

Tom Rymes wrote:
Hi there,

We have recently been blacklisted due to an infected PC sending SPAM  directly to hosts via its own MTA. Moving forward, I plan to block  port 25 to avoid this, but I am faced with the problem of tracking  this PC down, and it hasn't proved easy.

I have the IP address and the MAC address used by the machine, but it  does not respond to ping or ARP requests, and the manufacturer decoded  from the MAC hasn't proven helpful, either. I have checked all of the  PCs in the building (we have no wireless) and none of them are using  that IP Address. My guess is that the software is using an alternate  IP and MAC.

Anyhow, I'm guessing that the members of this list have had to deal  with this at least once or twice before, and I am wondering if anyone  has any suggestions as to how I might start to track down this rogue PC.

Thank you,

Tom

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
  
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster