Strange logon attempts

I have recently taken over a network. I started to audit failed logon
attempts and am finding a particular computer trying to log on as my
desktop tech once or twice a day. The attempts are coming from a
computer name that I do not recognize. When this first started
happening, I couldn't find a reference for this computer anywhere in my
network. Just yesterday, I found that it was given an IP address lease
a few days ago. What can I do to find where this PC is??

Re: Strange logon attempts

On 14 Jun 2006 07:55:36 -0700, Matt wrote:
> I have recently taken over a network. I started to audit failed logon
> attempts and am finding a particular computer trying to log on as my
> desktop tech once or twice a day. The attempts are coming from a
> computer name that I do not recognize. When this first started
> happening, I couldn't find a reference for this computer anywhere in my
> network. Just yesterday, I found that it was given an IP address lease
> a few days ago. What can I do to find where this PC is??

Do a trace route on it's ip address,
find the router closest to the pc,
start chasing each wire to each pc,
login and check ip address.

Other option, log into ip address, and snoop the files and
maybe you can find an
email address or something.

Re: Strange logon attempts

"Matt" writes:
> I have recently taken over a network. I started to audit failed logon
> attempts and am finding a particular computer trying to log on as my
> desktop tech once or twice a day. The attempts are coming from a
> computer name that I do not recognize. When this first started
> happening, I couldn't find a reference for this computer anywhere in my
> network. Just yesterday, I found that it was given an IP address lease
> a few days ago. What can I do to find where this PC is??

Depends on your network topology.

Take that IP address, get to the subnet it's on via tracert, get to a
machine on that network, arp for that IP to get the mac address,
access the switch for that lan (hopefully it's a managed one) and find
out what port of the switch has the mac address associated with that
ip, find out what cable's plugged into that port, then track that down
a physical machine.

Now, if it's a wirelessly connected machine, then your job becomes
more interesting.

--
Todd H.
http://www.toddh.net/

Re: Strange logon attempts

Post removed (X-No-Archive: yes)

Re: Strange logon attempts

In article <1150296936.147687.252050@u72g2000cwu.googlegroups.com>,
Matt wrote:
>I have recently taken over a network. I started to audit failed logon
>attempts and am finding a particular computer trying to log on as my
>desktop tech once or twice a day. The attempts are coming from a
>computer name that I do not recognize. When this first started
>happening, I couldn't find a reference for this computer anywhere in my
>network. Just yesterday, I found that it was given an IP address lease
>a few days ago. What can I do to find where this PC is??

If you have managed switches or routers:

- ping the IP address, and then examine your arp table to determine
the MAC address. Then use SNMP to poll all of your managed switches
and routers, looking for that MAC address in the port tables.
Note that the switch port ARP tables might expire within a few minutes,
so you might have to monitor for some time in order to determine
the port locations.


If you do not have managed switches:
- first install managed switches; then apply procedure above ;-)


On the SNMP side, you want ipNetToMediaTable entries if you can
get them, but you will probably only get useful ones on routers.
devices like printers are more likely to have atTable entries, which
are about as useful, but again you usually don't get useful
entries from switches. (It can be useful to poll service devices
such as servers and printers, because the target host might be
talking to one of them at times it doesn't happen to be talking
to anything topologically "near" you.)

For the switches I was using, the most likely OID to be useful was
..1.3.6.1.2.17.4.3.1 which looked like this:

17.4.3.1.1.0.80.186.72.179.154 = Hex: 00 50 BA 48 B3 9A
17.4.3.1.2.0.80.186.72.179.154 = 48

The .1 or .2 is followed in the OID by the *decimal* expansion of
the target device MAC. The .1 entry then reproduces that MAC
except in Hex (which might be easier for you to read), and
the .2 entry is the port number the device was attached to.

Note that the above OIDs are not standardized ones, and the
treatment of MAC entries within VLANs varies depending on manufacturer
and SNMP MIBs adhered to.

Useful descriptions of the interfaces is at
..1.3.6.1.2.1.2.31.1.1.1.1 for some switches and routers, and more
standardly (but sometimes less usefully) at .1.3.6.1.2.1.2.2.1.2

Re: Strange logon attempts

You can also:
- sniff the packets from this machine to get extra info such as its MAC
address,
- do some active/passive TCP/IP stack fingerprinting in order to
determine its OS,
- port scan the evil machine to see which services it is running,
....
- launch such a terrible remote attack again it that it will start to
beep,
....
- physically access a machine you suspect when its user is in the
bathroom and inspect its TCP/IP settings,
....

Kind regards
Ludovic

Re: Strange logon attempts

In article <1150373906.722377.114680@r2g2000cwb.googlegroups.com>,
Ludovic Joly wrote:

Please quote context. Please see here for information on how to
do so from Google Groups: http://cfaj.freeshell.org/google/

>You can also:
>- sniff the packets from this machine to get extra info such as its MAC
>address,

But the OP doesn't know where the machine -is-. If the OP is using
switches, they would have to at least track down which switch the
problem machine was directly attached to in order to do the
sniffing. And that's provided that the switches are managed switches
that provide packet copying services: if the switches are unmanaged,
you'd need to swap in a hub in order to do the sniffing.

Re: Strange logon attempts

Walter Roberson wrote:
> But the OP doesn't know where the machine -is-. If the OP is using
> switches, they would have to at least track down which switch the
> problem machine was directly attached to in order to do the
> sniffing. And that's provided that the switches are managed switches
> that provide packet copying services: if the switches are unmanaged,
> you'd need to swap in a hub in order to do the sniffing.

>From the OP:
"I started to audit failed logon attempts..."
"The attempts are coming from a computer name that I do not recognize."

Just sniff close to where the "attempts" go.

Kind regards
Ludovic

Re: Strange logon attempts

In article <1150382831.168624.265150@p79g2000cwp.googlegroups.com>,
Ludovic Joly wrote:

>>From the OP:
>"I started to audit failed logon attempts..."
>"The attempts are coming from a computer name that I do not recognize."

>Just sniff close to where the "attempts" go.

True, and I thought I'd already said that, but rechecking I see
that I editted my words about sniffing out completely before I posted.

If you have the IP address and it is on the same subnet, ping
plus checking the ARP tables gets you the MAC address. If you
don't have the IP address and the attempts to log in are against
an XP machine (maybe W2K as well?) you could turn on auditing and
the audit logs should record useful information. If the targetted
machine does not have useful auditting, you could toss a sniffer onto it,
but if the attempts are at random intervals then you could end up
with huge packet files to filter through :(


If one does not have the proper infrastructure and monitoring
procedures set up, tracking down a particular host can be a
big pain -- e.g., before we had managed switches, there were two
hosts that I looked for off and on for over 18 months [and never did find.]
If you do have managed switches, you can buy expensive (!!) monitoring
software, or you can expend quite a bit of effort on creating
-reliable- monitoring software yourself (unfortunately, switch SNMP
servers tend to lie, each in a different way.) I haven't -seen-
any good open-source network monitoring software suitable for
hunting down Wumpuses; something like that sure could save a lot of time.

Even with managed switches and polling software in place, tracking
down hosts by MAC can be difficult.


Hmmm, I had a posting on this topic, and I cannot find it now
through google. And last week I couldn't find some other topics I
was sure I'd written about. And I recall a couple of months ago
having difficulty retrieving some postings of mine from google --
my profile indicated I had several thousand postings (in one group)
but I could only pull out the first thousand or so. I'm starting
to suspect google has lost a bunch of my postings!!