way to lop IP addresses of users accessing resources?

  • Thread starter Thread starter Michael Salmons
  • Start date Start date
M

Michael Salmons

Hello,

I'm interested in shutting down someone who is attempting a lot of
unauthorized access to our servers. I've tried net viewing them at
times when they are active and it always comes back as unknown.
Perhaps they have shut down all connections with a local firewall? Or
perhaps a scanning program they are using is spoofing the information.

Either way, the only way I can think of to get a lead is to log the IP
address of machines from which connection attempts, successful or
unsuccessful, are made. Does anyone know of a script or program that
achieves this?

Thanks,

Michael Salmons
(e-mail address removed)
 
Hi Michael. I am not sure what you mean by unauthorized access., but you might try
using the built in Netmon packet sniffer on the W2K server. It may have thousands of
entries, but you still may be able to pin point him with a short capture while he is
active. If he is showing up in the security logs in Event Viewer [auditing needs to
be enabled] as a failed logon attempt, there may be a machine name [maybe ip address
if on lan] that you could try pinging or using nbtstat -c while he is active. If it
is coming from outside your firewall, you may look at your firewall logs and
correlate the times with failed logon events in the security log. If it is from
inside the network you could also try installing something like Sygate firewall [free
to try] on a targeted server and use it just for it's logging abilities that include
sortable columns and a traceback function. You could even disable the firewall
function itself. Just be sure to backup your server [at least System State], in case
it has a problem with Sygate. good luck. --- Steve

http://smb.sygate.com/default.htm
http://support.microsoft.com/?kbid=148942
 
Back
Top