Security Incidents mailing list archives
Question about event log events
From: jfp51 () EBEING COM (JF Prieur)
Date: Tue, 8 Feb 2000 16:05:52 -0500
Hello, First of all have been a lurker of this list for a good while and have learnt many things but I still consider myself a newbie for security purposes. I administer a small LAN for a startup company. I was reviewing the security event log of our firewall machine NT4 Server SP6a (running BlackIce and Sygate) and saw the following on February the 5th. From 2:45AM to 3:02AM, every 4 seconds, there is a 529 entry: UserName: Many different ones including administrator, admin, user, root, backup,demo,local,operator,test,guest,etc. Domain: None LogonType:3 LogonProcess:KSecDD AuthenticationPackage:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:\\ My questions are more for my education than to track him/her down since I'm 99.999% sure that he did not get in (no succesfull logon). 1. What was going on, my guess is script kiddie trying to get in using common usernames 2. Is there anyway I can find out from where this was coming from (internal/external). BlackIce was not running at this point and I'm sure it would have caught this and given me an IP. If you have any helpful tips or suggestions based on my email, please respond Thanks for your time, JF Prieur, MCSE e being communications inc.
Current thread:
- Re: DoS Trojan on Solaris, (continued)
- Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
- Re: DoS Trojan on Solaris Data_surge (Feb 04)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)
- Re: Compromised... Sebastian (Feb 09)
- Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)