General discussion

Locked

Account with admin rights

By mevans8182 ·
Hello:

I have a user account that has full admin rights. This account got locked late at night. The problem is not unlocking it, but rather under Intruder Lockout, it usually tells you the "Last Intruder address". This lists no information whatsoever, i.e., no mac address, nothing. Backdating a few weeks, same account locked up. This is all I have: 81782022:000000000001
How can I figure out who this is? And what other safeguards should I put into place? Sorry for the long message. Any help would be appreciated. Thank you! -M

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Account with admin rights

by mevans8182 In reply to Account with admin rights

Point value changed by question poster.

Collapse -

Account with admin rights

by isys In reply to Account with admin rights

My chrystal ball says you are running a network with IPX. The numbers before the colon are the MAC address (it removed the first four numbers, should be 00 00 81 78 20 22), and the numbers to the right are your IPX network number. This comes up with a Bay Networks NIC. Right?

Collapse -

Account with admin rights

by Joseph Moore In reply to Account with admin rights

I am not sure of your OS, so this entire suggestion might not work. Well, here's to hoping!

First, to go with the above answer, the connecting NIC could also be made from one of the following manufacturers:
Titan Electronics
TV/COM INTERNATIONAL
ALCATEL DATA NETWORKS
Metrodata Ltd
TYAN COMPUTER CORP.
Crosfield Electronics

Assuming that 81782022 is the last 4 bytes in Hex for the connecting NIC, then you can just look up the full MAC address here:
http://www.uga.edu/netinfo-bin/public/maclook

And to get a list of all NIC manufacturers and to see the first 3 bytex in Hex for the NICs they make, go here:
http://standards.ieee.org/regauth/oui/oui.txt

So, are the NICs in your office/organization by any of those manufacturers? That is the first place to start. If so, then that narrows it down.

Now, since I am more familiar with Windows, I am going to suggest a few Windows things to try. Others with experience in other NOS' can help with other suggestions.

Check the Security Log in Event Viewer on your PDC or Win2K DC. Look for Event ID # 644 that happened last night. That event is generated when your admin account was locked out. It would have the machine that the account lockout happened on. So, that would tell you from what machine. That should end the chase.

Collapse -

Account with admin rights

by Joseph Moore In reply to Account with admin rights

If the logs are not useful, then you could check the local ARP cache on your PDC/DC to see if there is a match of the MAC address. On a Windows box, open a Command Prompt and type in:
ARP -A
That gives you a list of the currrent ARP cache of connections; it gives you IP address AND MAC address! So, if the MAC is listed, you then have the IP address. YOu could then do PING -A ipaddress to resolve the host machine name.
Something to know about ARP is that the cache is cleared out frequently. So, to make sure, you will have to PING your entire network to establish current connections to everybody, then check the ARP cache. But, if you are running Windows, then doing the ARP -A from a domain controller will probably give you the right information, since machines keep a fairly constant connect to DCs.

Now, the ARP info is a TCP/IP thing. If you are in a IPX environment, then it won't help.

I hope this is helpful to you.

Collapse -

Account with admin rights

by mevans8182 In reply to Account with admin rights

Poster rated this answer

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Security Forums