RE: How can I track this down?
- From: Erin Carroll <amoeba@xxxxxxxxxxxxxx>
- Date: Wed, 7 Jun 2006 18:10:41 +0000 (UTC)
Bear in mind that MAC addresses can be changed so the information may not be correct/match a real NIC.
Also, while the IEEE block is assigned to ASKEY COMPUTER CORP, given the location of the company they are most likely a hardware supplier (NIC chipsets, whatever) for Cisco products and the Cisco string you are seeing is the embedded OS/app running on top of the hardware device.
As Roger said, it's most likely a misconfigured "extra" on an existing device that is polling the Domain for some authentication. If you want to track the device down, check the ARP table entries on your routers with CiscoWorks or whatever network device management method you use internally. Once you find an ARP entry that matches the MAC, follow the network segment for the actual device.
On Tue, 6 Jun 2006, Gino T. Genari wrote:
I am not so sure this is a MAC address belonging to a CISCO device. Accoring to IEEE
http://standards.ieee.org/regauth/oui/index.shtml
That starting mac address belongs to the company listed below, not Cisco. This company makes modems and WiFi devices.
00-90-96 (hex) ASKEY COMPUTER CORP.
009096 (base 16) ASKEY COMPUTER CORP.
2F, NO. 2, LANE 497
CHUNG-CHENG RD., HSIN-TIEN
TAIPEI 23136
TAIWAN, REPUBLIC OF CHINA
Just my opinion, hope it helps.
________________________________
From: Roger A. Grimes [mailto:roger@xxxxxxxxxxxxxx]
Sent: Thu 6/1/2006 2:39 PM
To: Nick Duda; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: How can I track this down?
I'm completely guessing here, but here's my thoughts:
It's probably a Cisco or other network mgmt device/software trying to
authenticate with a Windows network because someone choose Windows
domain/AD authentication for some optional feature (like proxy outbound
authentication, user list, etc.).
The logon acct name is a MAC address, so search to find out who has that
mac address. That will give you a clue.
-----Original Message-----
From: Nick Duda [mailto:nduda@xxxxxxxxxxxxxx]
Sent: Thursday, June 01, 2006 1:21 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: How can I track this down?
I'm getting a ton of these in my Security log on my DC. The logon
account changes every so often, but its always a name that doesn't exist
(as in we don't have a user account called 009096bb65cd) the from
Workstation always says CISCO. I can't find anything in the logs that
point me to an IP address. Running utils like nestat don't do much
because there are already so many normal connections related to it being
a DC. Any ideas?
The logon to account: 009096bb65cd
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: CISCO
failed. The error code was: 3221225572
Regards,
Nick
---------------------
Confidentiality note
The information in this email and any attachment may contain
confidential and proprietary information of
VistaPrint and/or its affiliates and may be privileged or otherwise
protected from disclosure. If you are
not the intended recipient, you are hereby notified that any review,
reliance or distribution by others
or forwarding without express permission is strictly prohibited and may
cause liability. In case you have
received this message due to an error in transmission, please notify the
sender immediately and to delete
this email and any attachment from your system.
---------------------
- References:
- RE: How can I track this down?
- From: Roger A. Grimes
- RE: How can I track this down?
- From: Gino T. Genari
- RE: How can I track this down?
- Prev by Date: Re: Enterprise Hard Drive Encryption with Active Directory Integration
- Next by Date: Re: DHCP Snooping
- Previous by thread: RE: How can I track this down?
- Next by thread: RE: How can I track this down?
- Index(es):
Relevant Pages
|
Loading
