On Mon, 20 Aug 2012 23:56:42 +0800 lina <lina.lastn...@gmail.com> wrote:
> On Monday 20,August,2012 11:45 PM, Mika Suomalainen wrote: > > On 20.08.2012 18:38, lina wrote: > >>>> How do I know who has this IP address? why s/he didn't change? > >>>> > >>>> You probably don't. I don't understand this second question. > >> The second question is that for those days, the attacker should > >> think of renew its ip address. not from the same one. > > > > But we don't know is the attacker a person or a program, which is > > running without knowledge of the owner of computer. > Yes, it's more like a program. but the owner in this long period has > never shutdown the computer, just a bit surprised that it keeps the > same ip address. > > > > > A DHCP client will normally remember its IP address, even if the lease has expired, and on the next connection will request it again. If the server hasn't issued it to anyone else, it will normally comply with the request. Both server and client can be configured not to do this, but in a Windows network it will probably happen to avoid too much need for scavenging out-of-date DNS records. Assuming the link between DNS and DHCP has been set up properly. Or it may be a configured reservation in the DHCP server i.e. some form of server itself. Or the client can be explicitly configured to request that address, when it is available, but there's very little reason to do that when a reservation is a guaranteed method. Even if the attacker in this case is a human, it may be difficult or impossible to override the network policies. Configuration of networking is limited to people with admin credentials, unprivileged users cannot even issue a DHCP renewal request other than by rebooting the machine. The quick answer here is to try: host <IP address>, which will turn up the hostname of the offending machine if the local DNS server is properly set up. Or to at least gain the MAC address of the machine, try inserting an iptables rule on your machine to log incoming ssh connections. e.g in your INPUT chain, just before the ssh -j ACCEPT command: iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix "SSH IN:" which will normally log to syslog and also /var/log/debug. I'd have thought the network admin would keep a list of MAC addresses on the network. If fact, the easiest answer of all is for the admin to look at the DHCP and DNS server records. Or there are programs which will scan the network for hostnames, MAC addresses and open ports, but I couldn't possibly suggest the use of such software, which may well be a hanging offence in some places. On the other hand, they're harbouring an ssh worm... -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120820195214.3d2db...@jretrading.com
