RE: Logon/Logoff Failure Events

["Russell Morrison" <rmorrison () axys net>]

Ana;

I have noted you received several good responses to your initial query (see
below) that you sent out late March.  If your MS network is in fact open to
the internet without some level screening, those suggestions are likely bang
on.  However, if your network is screened and the MS aspects are not
directly exposed, I might suggest one other possible (perhaps less
malicious) source for your noted login attempts.

I have noted, with interest, similar aspects on my own network (which I
should say is heavily screened and MS traffic is dropped at the
firewalls....).  In addition, I am not sure of the architecture of your
network and whether it is a pure MS/NT environment or whether there are
other "aspects" that are "MS compatible" but not true MS products.  SAN
appliances and Linux/Unix boxes running SAMBA (or the similar SUN PCNetlink)
have a tendency to continually hammer away at the PDC using a list of all
users (past and current) that have logged into those boxes/servers.  It
usually shows up in the logs as attempts every second or few seconds
depending on the number of installs/appliances, the number of users, and
various other factors.  They generally show up as failures in all cases.

Initially, I thought this was a security issue so I did some digging
tracking down the traffic.  I found it was a SAN appliance I was using for
offline storage.  I went to task with the manufacturer of the SAN appliance.
The devices was continually hammering away at our PDC with a wide list of
old and current users with each one failing.  The manufacturer tech
acknowledged the issue as an aspect of the version of Uni*/Linu* they were
running along with the Samba tool that made it plug-and-play in a MS
environment.  Obviously, I have since removed the box (it had a number of
issues in addition to this one....) but I have seen very similar traffic
with both Linux/Samba and Solaris/PCNetlink installs on my network.

Not sure if any of these devices/OS's/tools are on your network but this may
give you one other source to check out.

HTH.

Russell



-----Original Message-----
From: A. Naveira [mailto:anaveira () hotmail com]
Sent: Monday, March 31, 2003 3:37 PM
To: incidents () securityfocus com
Cc: intrusions () incidents org
Subject: Logon/Logoff Failure Events


I recently implemented the account lockout policy on my NT4 PDC (all my
clients authenticate to this server) and encountered the following events in
my security event log:

1.User accounts continue to get locked (Event 539)
2.Expired password accounts continue trying to log in to the network (Event
535)
3.Accounts restricted to specific workstations are trying to login to
unidentified workstations that I can't seem to ID on my network (Event 533)
AND
4.Bad password attempts on existing accounts from unidentified workstations
that I can't seem to ID on my network (Event 529)

These events seem quite unsettling, as I see MULTIPLE failed attempts per
second (more than humanly possible).  Could this be an automated process
(token authentication) that NT is running to authenticate services, apps, or
other processes or, as I expect, could it be a script trying to guess user
passwords?  Has anyone encountered this previously in NT4 with benign
sources?

Ana

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail



----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents