Security Basics mailing list archives

RE: How can I track this down?

From: "Burton Strauss" <Burton () FelisCatus org>
Date: Thu, 1 Jun 2006 16:54:43 -0500

That's almost certainly a MAC address - check the IEEE OUI site
(http://standards.ieee.org/regauth/oui/index.shtml) and you'll see the 1st 6
are assigned:

00-90-96   (hex)                ASKEY COMPUTER CORP.
009096     (base 16)            ASKEY COMPUTER CORP.
                                2F, NO. 2, LANE 497
                                CHUNG-CHENG RD., HSIN-TIEN
                                TAIPEI  23136  
                                TAIWAN, REPUBLIC OF CHINA

Find their web site
http://www.askey.com.tw/eportal/globalweb/index.jsp?language=en

Now you (sort of) know what to look for...



My bet?  Somebody installed a pirate wireless access point...

-----Burton

 

-----Original Message-----
From: Nick Duda [mailto:nduda () VistaPrint com] 
Sent: Thursday, June 01, 2006 12:21 PM
To: security-basics () securityfocus com
Subject: How can I track this down?


I'm getting a ton of these in my Security log on my DC. The logon account
changes every so often, but its always a name that doesn't exist (as in we
don't have a user account called 009096bb65cd) the from Workstation always
says CISCO. I can't find anything in the logs that point me to an IP
address. Running utils like nestat don't do much because there are already
so many normal connections related to it being a DC. Any ideas?

The logon to account: 009096bb65cd
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: CISCO
 failed. The error code was: 3221225572


Regards,
Nick 

---------------------
Confidentiality note
The information in this email and any attachment may contain confidential
and proprietary information of VistaPrint and/or its affiliates and may be
privileged or otherwise protected from disclosure. If you are not the
intended recipient, you are hereby notified that any review, reliance or
distribution by others or forwarding without express permission is strictly
prohibited and may cause liability. In case you have received this message
due to an error in transmission, please notify the sender immediately and to
delete this email and any attachment from your system.
---------------------

Current thread:

Re: How can I track this down?, (continued)
- - Re: How can I track this down? ilaiy (Jun 01)
    - InfoSec Importance Mohamad Mneimneh (Jun 02)
    - RE: InfoSec Importance Andrew Chong (Jun 02)
    - RE: InfoSec Importance David Gillett (Jun 02)
    - Re: InfoSec Importance Nick Owen (Jun 02)
    - Re: InfoSec Importance Chris Dalton (Jun 05)
    - RE: InfoSec Importance SS (Jun 02)
    - Re: InfoSec Importance infosecadmin (Jun 05)
  - RE: How can I track this down? Gino T. Genari (Jun 07)
    - RE: How can I track this down? Erin Carroll (Jun 09)
- RE: How can I track this down? Burton Strauss (Jun 02)
- RE: How can I track this down? Portz, Jon (Jun 01)
- Re: RE: How can I track this down? dlong (Jun 02)