Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Intruder Detection??

Status
Not open for further replies.
dflanagan

dflanagan

MIS
Oct 5, 2001
115
US
Hello,
I have a supervisor account that keeps coming up locked due to intruder detection (ie: wrong password) I unlock it, and then find it is locked again later.... I want to know WHO, or what machine this wrong password is coming from.... how can I find this out???? I am using v 3.12 I see in syscon under the intruder detection part that there is a number listed as:
"last intruder address:AC1BC00:00065B5ECB79:5398"

What can I do with this number??

Thanks

Dave Flanagan
 
Sort by date Sort by votes
That is the MAC address of the PC trying to login as supervisor. Assuming that PC is logged in as a regular user, you could run a USERLIST /A from a DOS prompt at your workstation. This will show all the users logged in and their MAC address.
 
Upvote 0 Downvote
COOL!
But the problem is, that he/she/it(possible machine w/ a service) is not successful... so, it won't show them as logged in.. right? Have any other good intrusion tips?
 
Upvote 0 Downvote
Your correct. But assuming the PC is being used by someone at some point with a legitimate login, you could add something to the login script to notify you or catch them like:

IF P_STATION == "00065B5ECB79" THEN BEGIN
#send "Intruder alert" to dflanagan
END

The above would use NetWare send command to send you a message (assuming your NetWare user name is dflanagan). Then you could run the userlist /a to see who it is.
 
Upvote 0 Downvote
ok, so I was able to find it in the list.... but it was listed under the supervisor username..... how can I translate that mac address to something useful? Like an ip address, or machine name? WE use wins here.... will that work somehow? Is there a command to translate a mac address to an ip address?
 
Upvote 0 Downvote
I'm not sure how you would proceed. If you are giving out IP addresses using DHCP, then your DHCP server should have a list or log of IP addresses assigned. In some cases, this log or list does include a MAC address.

The other thing you could do is to go into SYSCON and under the supervisor account, restrict access to specific workstations (like yours) and exclude the MAC address in question. That would prevent that workstation from logging in as supervisor.

You could also look at your server's console monitor to determine what files that workstation has open. You might be able to figure it out based on that.
 
Upvote 0 Downvote
THANKS ALOT FOR YOU HELP!!

I found the server... it was a server in fact... I went around checking mac addresses using ipconfig /all (Windows NT) and found it was my backup server... thanks again for the help! I hope I can return the favor one day.

Dave
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

damienenglish
  • Locked
  • Question
Citrix Replication Fault Detection
Replies
0
Views
112
damienenglish
damienenglish
Vard0
  • Locked
  • Question
Automatic thin client detection
Replies
0
Views
50
Vard0
Vard0
rw1204
  • Locked
  • Question
proxy detection failure
Replies
0
Views
21
rw1204
rw1204
compuveg
  • Locked
  • Helpful tip
Random Intruder Lockouts
Replies
0
Views
10
compuveg
compuveg
nikky
  • Locked
  • Question
intruder detection from internal net number
Replies
5
Views
31
jcassidy
jcassidy

Part and Inventory Search

Sponsor

Back
Top