Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Question about event log events

From: jfp51 () EBEING COM (JF Prieur)
Date: Tue, 8 Feb 2000 16:05:52 -0500

Hello,

First of all have been a lurker of this list for a good while and have learnt many things but I still consider myself a 
newbie for security purposes. I administer a small LAN for a startup company.

I was reviewing the security event log of our firewall machine NT4 Server SP6a (running BlackIce and Sygate) and saw 
the following on February the 5th. From 2:45AM to 3:02AM, every 4 seconds, there is a 529 entry:

UserName: Many different ones including administrator, admin, user, root, backup,demo,local,operator,test,guest,etc.
Domain: None
LogonType:3
LogonProcess:KSecDD
AuthenticationPackage:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:\\

My questions are more for my education than to track him/her down since I'm 99.999% sure that he did not get in (no 
succesfull logon).

1. What was going on, my guess is script kiddie trying to get in using common usernames
2. Is there anyway I can find out from where this was coming from (internal/external). BlackIce was not running at this 
point and I'm sure it would have caught this and given me an IP.

If you have any helpful tips or suggestions based on my email, please respond

Thanks for your time,
JF Prieur, MCSE
e being communications inc.
Previous By Date Next
Previous By Thread Next

Current thread: