Hey Simon, I hope you know how urgent and critical your network situation is. I'd not wait until Monday. Anyway its upto you to understand the real risk the spoof is carrying since you manage your network. Personally, I'd already have shut down the reserved subnets as I wrote earlier. HTHs. On Fri, May 14, 2010 at 9:01 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
Hi aki,
The interesting thing is that the spoofing computer appears to be in my LAN because it's accessing the firewall through the internal interface. I did a packet sniff using wireshark on "ip.src == 10.230.0.63" and got the ethernet address, then did another scan with the expression "ethernet.src == wh.at.i.got" and I got different LAN IP addresses... do I have a botnet or what?? The ethernet address is for a 3Com device. I have 3Com switches in my LAN. But 3Com switches aren't configured with IP addresses etc... unless 3COM themselves hardwired the configurations onto the devices... Anyway, my investigations continue on Monday.
Let me know what you think.