Re: Unknown workgroup in Microsoft Windows Network
From: Tony Gordon (tony.gordon@hewitt.com)Date: 11/14/02
- Previous message: Tomaso Vasella: "Local security settings in W2k adv server causes problems"
- Maybe in reply to: gary_palmer@attbi.com: "Unknown workgroup in Microsoft Windows Network"
- Next in thread: Sarbjit Singh Gill: "ASP, Biztalk server SQL DB and Firewall architecture."
- Reply: Sarbjit Singh Gill: "ASP, Biztalk server SQL DB and Firewall architecture."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: gary_palmer@attbi.com From: "Tony Gordon" <tony.gordon@hewitt.com> Date: Thu, 14 Nov 2002 15:49:54 -0600
If all previous ideas do not work, try running NetMon or any other
"sniffer" on the Domain master browser. It will receive a browser
announce frame sooner or later. The frame will tell you which browser
supplied the name. Doing strings searches in a large trace could be an
issue. Some sniffers are better at it then others. Then follow the
browser chain until you find the one that is on the same subnet as the
"offender". That will give the IP address of the system that send the
browser announce frame.
Somewhat painful process, so use it as a last resort. I had to use it
when nothing else worked.
Thank you, Tony.
Tony Gordon, Windows 2000 MCSE
tony.gordon@hewitt.com
Windows Server Infrastructure
Phone: 847.295.5000 x14534
Fax: 847.295.8877
Hewitt Associates
gary_palmer@attbi.com
11/12/2002 03:13 PM
To: focus-ms@securityfocus.com
cc:
Subject: Unknown workgroup in Microsoft Windows Network
Recently a new workgroup name appeared in our organizations "Network
Neighborhood > Microsoft Windows Network" The workgroup or domain is
called "Gotcha." Not a particularly pleasing name for a workgroup.
Having verified that no staff members have plugged in new hardware
recently,
and verifying that there are no unauthorized logins to our wireless
network,
I'm somewhat at a loss to explain this. I found information on an SMB hack
that, as a side-effect causes a rogue workgroup to show up in Network
Neighborhood in order to sniff cleartext passwords from Windows 95
machines,
but our firewall blocks ports 137 and 139, and there's nothing unusual in
the
firewall logs.
My question is this--what's the best way to track down an IP address
associated with a domain or workgroup listing in Network Neighborhood. Is
this
possible? This would at least give me an idea of where on the physical
network
this is coming from. Does anyone have recommendations on tracing this
problem?
Thank you,
Gary
-- gpalmer@attbi.com
- Next message: Jason Normanton: "RE: Active Directory network security"
- Previous message: Tomaso Vasella: "Local security settings in W2k adv server causes problems"
- Maybe in reply to: gary_palmer@attbi.com: "Unknown workgroup in Microsoft Windows Network"
- Next in thread: Sarbjit Singh Gill: "ASP, Biztalk server SQL DB and Firewall architecture."
- Reply: Sarbjit Singh Gill: "ASP, Biztalk server SQL DB and Firewall architecture."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
