|
Posted by Matt on June 14, 2006, 10:55 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have recently taken over a network. I started to audit failed logon
attempts and am finding a particular computer trying to log on as my
desktop tech once or twice a day. The attempts are coming from a
computer name that I do not recognize. When this first started
happening, I couldn't find a reference for this computer anywhere in my
network. Just yesterday, I found that it was given an IP address lease
a few days ago. What can I do to find where this PC is??
|
|
Posted by Bit Twister on June 14, 2006, 11:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
On 14 Jun 2006 07:55:36 -0700, Matt wrote:
> I have recently taken over a network. I started to audit failed logon
> attempts and am finding a particular computer trying to log on as my
> desktop tech once or twice a day. The attempts are coming from a
> computer name that I do not recognize. When this first started
> happening, I couldn't find a reference for this computer anywhere in my
> network. Just yesterday, I found that it was given an IP address lease
> a few days ago. What can I do to find where this PC is??
Do a trace route on it's ip address,
find the router closest to the pc,
start chasing each wire to each pc,
login and check ip address.
Other option, log into ip address, and snoop the files and
maybe you can find an
email address or something.
|
|
Posted by Todd H. on June 14, 2006, 11:22 am
If you were Registered and logged in, you could reply and use other advanced thread options > I have recently taken over a network. I started to audit failed logon
> attempts and am finding a particular computer trying to log on as my
> desktop tech once or twice a day. The attempts are coming from a
> computer name that I do not recognize. When this first started
> happening, I couldn't find a reference for this computer anywhere in my
> network. Just yesterday, I found that it was given an IP address lease
> a few days ago. What can I do to find where this PC is??
Depends on your network topology.
Take that IP address, get to the subnet it's on via tracert, get to a
machine on that network, arp for that IP to get the mac address,
access the switch for that lan (hopefully it's a managed one) and find
out what port of the switch has the mac address associated with that
ip, find out what cable's plugged into that port, then track that down
a physical machine.
Now, if it's a wirelessly connected machine, then your job becomes
more interesting.
--
Todd H.
http://www.toddh.net/
|
|
Posted by Juergen Nieveler on June 14, 2006, 3:58 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> What can I do to find where this PC is??
Delete the computer account from the domain (citing a major security
problem), then wait for the user to come and complain. Oh, and complain
to your boss that nobody maintained a proper hardware inventory
database.
Juergen Nieveler
--
Mary had a little RAM -- only about a MEG or so.
|
|
Posted by Walter Roberson on June 14, 2006, 5:58 pm
If you were Registered and logged in, you could reply and use other advanced thread options >I have recently taken over a network. I started to audit failed logon
>attempts and am finding a particular computer trying to log on as my
>desktop tech once or twice a day. The attempts are coming from a
>computer name that I do not recognize. When this first started
>happening, I couldn't find a reference for this computer anywhere in my
>network. Just yesterday, I found that it was given an IP address lease
>a few days ago. What can I do to find where this PC is??
If you have managed switches or routers:
- ping the IP address, and then examine your arp table to determine
the MAC address. Then use SNMP to poll all of your managed switches
and routers, looking for that MAC address in the port tables.
Note that the switch port ARP tables might expire within a few minutes,
so you might have to monitor for some time in order to determine
the port locations.
If you do not have managed switches:
- first install managed switches; then apply procedure above ;-)
On the SNMP side, you want ipNetToMediaTable entries if you can
get them, but you will probably only get useful ones on routers.
devices like printers are more likely to have atTable entries, which
are about as useful, but again you usually don't get useful
entries from switches. (It can be useful to poll service devices
such as servers and printers, because the target host might be
talking to one of them at times it doesn't happen to be talking
to anything topologically "near" you.)
For the switches I was using, the most likely OID to be useful was
.1.3.6.1.2.17.4.3.1 which looked like this:
17.4.3.1.1.0.80.186.72.179.154 = Hex: 00 50 BA 48 B3 9A
17.4.3.1.2.0.80.186.72.179.154 = 48
The .1 or .2 is followed in the OID by the *decimal* expansion of
the target device MAC. The .1 entry then reproduces that MAC
except in Hex (which might be easier for you to read), and
the .2 entry is the port number the device was attached to.
Note that the above OIDs are not standardized ones, and the
treatment of MAC entries within VLANs varies depending on manufacturer
and SNMP MIBs adhered to.
Useful descriptions of the interfaces is at
.1.3.6.1.2.1.2.31.1.1.1.1 for some switches and routers, and more
standardly (but sometimes less usefully) at .1.3.6.1.2.1.2.2.1.2
|
| Similar Threads | Posted | | strange requests sent to my WWW | April 12, 2006, 4:06 pm |
| Strange Error Log, then FBI? | June 15, 2006, 6:55 pm |
| Strange behavior ... New trojan? | May 6, 2004, 7:57 am |
| Win2k Strange Lockouts | July 13, 2004, 5:52 pm |
| Apache 1.3.33 strange log entry | February 28, 2005, 1:56 pm |
| WinXP strange behaviour | March 16, 2005, 7:48 am |
| Strange happenings when searching on Google | June 30, 2005, 11:20 am |
| Strange network probe activity | November 15, 2006, 2:41 pm |
| Strange behaviour in router and broadband modem | November 26, 2004, 9:27 pm |
| The origin of breakin attempts | May 19, 2006, 6:24 pm |
|
XML site map