Security Incidents mailing list archives
Re: Weird Windows logon attempts
From: Jacco Tunnissen <jacco () honeypots net>
Date: Mon, 24 Feb 2003 04:08:42 +0100
On Mon, Feb 24, 2003 at 01:27:54PM +1300, Harry Hoffman wrote:
We have just setup ntsyslog from sourceforge.net. Our security policy is to log events on failure and we have just started seeing the below events. After talking with the users we are pretty sure that they are not attempting to access the services. And they don't have accounts on that system.
[...]
Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The error code was: 3221225572
Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The error code was: 3221225572
Hi Harry, Although I don't exactly know the details about the NT Authentication process, the following document might help to answer your question. https://www.sans.org/rr/win2000/audit_w2k.php Auditing the Windows 2000 Authentication Process Julio Silveira, April 1, 2001 Good luck, Jacco Tunnissen -- http://www.honeypots.net/ Honeypot & IDS Resources ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Weird Windows logon attempts Harry Hoffman (Feb 23)
- Re: Weird Windows logon attempts Jacco Tunnissen (Feb 24)
- Re: Weird Windows logon attempts H C (Feb 25)
- Re: Weird Windows logon attempts Russell Fulton (Feb 26)
- RE: Weird Windows logon attempts Mary McAllister (Feb 26)
- Re: Weird Windows logon attempts Russell Fulton (Feb 26)
- <Possible follow-ups>
- Re: Weird Windows logon attempts Bojan Zdrnja (Feb 24)
- RE: Weird Windows logon attempts Terence Runge (Feb 24)