Help Needed to detect origin of attack. 1

[superchivo]

Hello Everyone!

To make a long story short: I work for a small city government with little or no investment on IT. We run an old app. built on Informix 4SE, running over a SCO 5.0.5 server.
I recently detected a security breach, and although I have searched in many logs, I am still missing one piece of information to glue everything together:
I need to find out which host (preferably by MAC address) was utilized to connect to the system on a specific tty at a specific time -via Ethernet-. (I know the number of tty, the lapse of time in which the attack happened, and a static IP used by the attacker - internal job - however, I need to confirm the computer ID - via MAC to positively identify the attack and attacker).

Is there any way to know this in SCO?

Also, from recently I get a whole bunch of these messages on my syslog:
Sep 2 17:37:20 <myhost> telnetd[10582]: can't find user in protected password database

What does that mean ? How can I track it in a more specific way?

Thank you So Much for any help you could give me.

 

[Annihilannic]

If I recall correctly that message is normal when someone enters an invalid username or invalid characters at the username prompt.

I don't suppose you're lucky enough that the IP is still visible on the network? If so you may be able to retrieve the MAC from the ARP tables? If it's not on the same network segment as the server then you're out of luck there and would need help from your network administrators.

Annihilannic.

 

[Edcrosbys]

Assuming the source machine in out in userland, I would talk to the DHCP admin who services those machines. He should be able to give you the info on who had that ip at that time. He should also be able to look at the windows machines (assuming) and see what user was logged in at those times.