had a situation today where one account was continuously getting locked
out, but only on the bordermanager server. no user was actually logged
in to eDirectory with this account, but something was apparently trying
to authenticate to BM with this username and the wrong password, every
2 seconds, for a half hour or so. I couldn't figure out where it was
coming from. "monitor>>connections" didn't show anything, as there
was no one connected to the file system with this username (or any
other eDir server, either). In console1, user properties>>intruder
lockout, the "last intruder address" shows as "12". just "12". other
accounts show a full ipaddress, i.e. "192.168.1.x". but this was just
"12". there is a node on the network with the ipaddress"192.168.1.12",
but it is a server. I checked iManager, and it showed the same
thing.

anyone know of any other way to find out the node address...mac or ip,
when something is doing this? If I had that, I could find the node
that is causing the problem, from either zenworks or from the dns
tables.

I'm sure if this was from a workstation, the user had no idea it was
happening...probably some piece of malware or something that is trying
to phone home...no actual "person" would have hit the retry button
every 2 seconds for a half an hour. or the browser on a
MacIntosh...something with no clntrust.exe running....

thanks!


--
chuck