Security Basics mailing list archives

RE: How can I track this down?

From: "Portz, Jon" <jportz () kforce com>
Date: Thu, 1 Jun 2006 15:50:31 -0400

If you are doing MAC authentication through Cisco ACS, check the TACAC logs
on the Cisco ACS server.

- JP

-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com] 
Sent: Thursday, June 01, 2006 2:40 PM
To: Nick Duda; security-basics () securityfocus com
Subject: RE: How can I track this down?

I'm completely guessing here, but here's my thoughts:

It's probably a Cisco or other network mgmt device/software trying to
authenticate with a Windows network because someone choose Windows
domain/AD authentication for some optional feature (like proxy outbound
authentication, user list, etc.).

The logon acct name is a MAC address, so search to find out who has that
mac address. That will give you a clue.

-----Original Message-----
From: Nick Duda [mailto:nduda () VistaPrint com] 
Sent: Thursday, June 01, 2006 1:21 PM
To: security-basics () securityfocus com
Subject: How can I track this down?

I'm getting a ton of these in my Security log on my DC. The logon
account changes every so often, but its always a name that doesn't exist
(as in we don't have a user account called 009096bb65cd) the from
Workstation always says CISCO. I can't find anything in the logs that
point me to an IP address. Running utils like nestat don't do much
because there are already so many normal connections related to it being
a DC. Any ideas?

The logon to account: 009096bb65cd
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: CISCO
 failed. The error code was: 3221225572

Regards,
Nick

---------------------
Confidentiality note
The information in this email and any attachment may contain
confidential and proprietary information of

VistaPrint and/or its affiliates and may be privileged or otherwise
protected from disclosure. If you are

not the intended recipient, you are hereby notified that any review,
reliance or distribution by others

or forwarding without express permission is strictly prohibited and may
cause liability. In case you have

received this message due to an error in transmission, please notify the
sender immediately and to delete

this email and any attachment from your system.
---------------------

Attachment: smime.p7s
Description:

Current thread:

InfoSec Importance, (continued)
- - - InfoSec Importance Mohamad Mneimneh (Jun 02)
    - RE: InfoSec Importance Andrew Chong (Jun 02)
    - RE: InfoSec Importance David Gillett (Jun 02)
    - Re: InfoSec Importance Nick Owen (Jun 02)
    - Re: InfoSec Importance Chris Dalton (Jun 05)
    - RE: InfoSec Importance SS (Jun 02)
    - Re: InfoSec Importance infosecadmin (Jun 05)
  - RE: How can I track this down? Gino T. Genari (Jun 07)
    - RE: How can I track this down? Erin Carroll (Jun 09)
- RE: How can I track this down? Burton Strauss (Jun 02)
- RE: How can I track this down? Portz, Jon (Jun 01)
- Re: RE: How can I track this down? dlong (Jun 02)