Re: Weird Windows logon attempts

[Jacco Tunnissen <jacco () honeypots net>]

On Mon, Feb 24, 2003 at 01:27:54PM +1300, Harry Hoffman wrote:

> We have just setup ntsyslog from sourceforge.net. Our security policy is to
> log events on failure and we have just started seeing the below events.
> After talking with the users we are pretty sure that they are not
> attempting to access the services. And they don't have accounts on that
> system.

[...]

> Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
> security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: USERNAME  by:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: G731-220-4  failed. The
> error code was: 3221225572  

> Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
> security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: USERNAME  by:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: G731-220-4  failed. The
> error code was: 3221225572  

Hi Harry,

Although I don't exactly know the details about the NT Authentication
process, the following document might help to answer your question.


  https://www.sans.org/rr/win2000/audit_w2k.php
  Auditing the Windows 2000 Authentication Process
  Julio Silveira, April 1, 2001


Good luck,

Jacco Tunnissen
-- 
http://www.honeypots.net/
Honeypot & IDS Resources

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>