Security Basics mailing list archives
RE: How can I track this down?
From: "Gino T. Genari" <techman1 () scinet-test gov>
Date: Tue, 6 Jun 2006 16:38:10 -0400
I am not so sure this is a MAC address belonging to a CISCO device. Accoring to IEEE http://standards.ieee.org/regauth/oui/index.shtml That starting mac address belongs to the company listed below, not Cisco. This company makes modems and WiFi devices. 00-90-96 (hex) ASKEY COMPUTER CORP. 009096 (base 16) ASKEY COMPUTER CORP. 2F, NO. 2, LANE 497 CHUNG-CHENG RD., HSIN-TIEN TAIPEI 23136 TAIWAN, REPUBLIC OF CHINA Just my opinion, hope it helps. ________________________________ From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Thu 6/1/2006 2:39 PM To: Nick Duda; security-basics () securityfocus com Subject: RE: How can I track this down? I'm completely guessing here, but here's my thoughts: It's probably a Cisco or other network mgmt device/software trying to authenticate with a Windows network because someone choose Windows domain/AD authentication for some optional feature (like proxy outbound authentication, user list, etc.). The logon acct name is a MAC address, so search to find out who has that mac address. That will give you a clue. -----Original Message----- From: Nick Duda [mailto:nduda () VistaPrint com] Sent: Thursday, June 01, 2006 1:21 PM To: security-basics () securityfocus com Subject: How can I track this down? I'm getting a ton of these in my Security log on my DC. The logon account changes every so often, but its always a name that doesn't exist (as in we don't have a user account called 009096bb65cd) the from Workstation always says CISCO. I can't find anything in the logs that point me to an IP address. Running utils like nestat don't do much because there are already so many normal connections related to it being a DC. Any ideas? The logon to account: 009096bb65cd by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: CISCO failed. The error code was: 3221225572 Regards, Nick --------------------- Confidentiality note The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and to delete this email and any attachment from your system. ---------------------
Current thread:
- How can I track this down? Nick Duda (Jun 01)
- RE: How can I track this down? Roger A. Grimes (Jun 01)
- Re: How can I track this down? ilaiy (Jun 01)
- InfoSec Importance Mohamad Mneimneh (Jun 02)
- RE: InfoSec Importance Andrew Chong (Jun 02)
- RE: InfoSec Importance David Gillett (Jun 02)
- Re: InfoSec Importance Nick Owen (Jun 02)
- Re: InfoSec Importance Chris Dalton (Jun 05)
- Re: How can I track this down? ilaiy (Jun 01)
- RE: InfoSec Importance SS (Jun 02)
- Re: InfoSec Importance infosecadmin (Jun 05)
- RE: How can I track this down? Roger A. Grimes (Jun 01)
- RE: How can I track this down? Erin Carroll (Jun 09)
- <Possible follow-ups>
- RE: How can I track this down? Portz, Jon (Jun 01)
- Re: RE: How can I track this down? dlong (Jun 02)