Okay, here is all that I know about my infrastructure besides what I mentioned. Its all UNIX based and I have not access to any of it. The routers and switches (and the fiber optic backbone) is all controlled by a different department.
My W2K servers do not run DNS or DHCP, however I do have a WINS server (it just struck me that I should look to see if the workstations registered there when they attempted to log on to those servers). I don't know how to setup a workstation o update the DNS so I can't answer your first part. I do know that I am half Windows XP and half Windows 2000. Thanks, Chuck -----Original Message----- From: King, Arron S. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 8:36 AM To: Exchange Discussions Subject: RE: Tracing Computers making repeated Logon Requests Chuck, You didn't mention much about your infrastructure; but *if* the workstations in question are Win2k (and are set to update the DNS), you can do an nslookup on the hostname. If you provide DHCP to them, you might be able to find the IP that the DHCP server gave out to the hostname. (Even the MS DHCP server provides some basic logging) Not sure what brand of network gear you have; but [even] on our Nortel switches, I can do a lookup of the MAC address, and find out what port it is on on the switch in question we are fully switched, and have implemented VLANs, so I know by IP Address what switch to look on) HTH Arron ======================================= Arron S. King Network & Systems Administrator Ohio Dominican University [EMAIL PROTECTED] v: 614.251.4515 f: 614.252.2650 -----Original Message----- From: Charles Carerros [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 9:19 AM To: Exchange Discussions Subject: OT: Tracing Computers making repeated Logon Requests Hey all, This is really off topic, but I am having problems find a solution. There are a number of workstations that are repeatedly trying to hack my admin password on two of my subnets. I can see when they try their password attempts and they are using basic Microsoft Authentication. However the Event Viewer only gives me the workstation name (and the domain/work group name which is the same as the workstation name). Does anyone have any suggestions as to how I could pin down an IP address. The nature of these attempts (and timing) could point out that some student either has been hacked or is purposely running these. As such, if I can discern an IP address I can put an end to them. Thanks, Chuck _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]