Security Basics mailing list archives
RE: Failed admin logins
From: "Burton M. Strauss III" <Burton () FelisCatus org>
Date: Tue, 23 Nov 2004 10:03:33 -0600
Sounds like you know WHICH machine it is... so focus on that machine... Run some anti-spyware software (http://www.hijackthis.de). Turn off the offending machine. Change the domain admin password. Restart machine. Check log for failure message(s). Search the registry for "Administrator". -----Burton
-----Original Message----- From: McKee, Graydon [mailto:Graydon.McKee () unisys com] Sent: Saturday, November 20, 2004 6:20 PM To: security-basics () securityfocus com Subject: RE: Failed admin logins Understanding that my suggestion may not always be possible - pull the plug and wait to see who screams. Outside of that you could check the audit logs as has been suggested or sniff the packets going to that machine and isolate who is communicating with that box with the logs of when the login occurs. Once you know who is talking you can then examine that box to see what would need to interact with the server in question. Graydon McKee - GSEC Senior Security Architect, Federal Information Security Practice Unisys US Federal Government Group Office: 703-439-5991 Fax: 703-439-3216 Mobile: 240-472-7148 I have recently changed my digital signature, please update your settings if you have saved my previous one. Thank You. -----Original Message----- From: GuidoZ [mailto:uberguidoz () gmail com] Sent: Friday, November 19, 2004 6:01 AM To: Joe Quigley Cc: security-basics () securityfocus com Subject: Re: Failed admin logins Is auditing enabled (or possible)? By auditing failed attempts, then checking the logs in the event viewer, it should lead you right to the source. -- Peace. ~G On Thu, 18 Nov 2004 13:30:33 -0500, Joe Quigley <jquigley () iir-central com> wrote:Hello, I have a machine that is trying to log in as the domain administrator but can't figure out what application/service is doing it. I've checked all the services that login as administrator (yes, very bad idea to use admin for services, I inherited this setup) but that does not seem to be the problem as the services start. I even retyped the password in the services applet just to be sure. Anyone have any thoughts on how to track down the source of this rogue login?? Thanks in advance, Joe
Current thread:
- Failed admin logins Joe Quigley (Nov 19)
- Re: Failed admin logins GuidoZ (Nov 19)
- <Possible follow-ups>
- RE: Failed admin logins Handy, Mark (IT) (Nov 19)
- RE: Failed admin logins McKee, Graydon (Nov 22)
- RE: Failed admin logins Burton M. Strauss III (Nov 23)