Glad to read that! phew. :-) Check out the traffic that the source is generating and see its interest in your network. Then leave a small window open to it, possibly 32 bytes enough to run a ping packet. Since your network may not be busy at night, it is easier to identify the cause. Whatever opened up your network and say the local computer/device logs on in the morning, the spoof will become active again, this time they cannot openly move in your network looking for shared folders or weak passwords due to byte limit. Gives you enough time to fix the situation but I cannot stress you enough that your network is in a critical state so anything that is pending patches or updates is a target. Good luck. On Fri, May 14, 2010 at 10:00 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
I blocked them on iptables... but I'm still investigating.
On 14 May 2010 21:58, aki <aki275@googlemail.com> wrote:
Hey Simon, I hope you know how urgent and critical your network situation is. I'd not wait until Monday. Anyway its upto you to understand the real risk the spoof is carrying since you manage your network. Personally, I'd already have shut down the reserved subnets as I wrote earlier. HTHs.