Weird Windows logon attempts

[Harry Hoffman <hhoffman () ip-solutions net>]

Hi All,

We have just setup ntsyslog from sourceforge.net. Our security policy is to log
events on failure and we have just started seeing the below events. After
talking with the users we are pretty sure that they are not attempting to access
the services. And they don't have accounts on that system.

Has anyone seen this? They are 2k/XP boxes. Does Windows 2k/XP automagically try
to find out what services are accessible?
Any insight would be great.

The username has been changed to USERNAME to protect, the hopefully, innocent.

Thanks,
Harry


Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: USERNAME  by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: G731-220-4  failed. The
error code was: 3221225572  
Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: USERNAME  by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: G731-220-4  failed. The
error code was: 3221225572  


-- 
Harry Hoffman
ITSS Systems Team Leader
University of Auckland
hhoffman () auckland ac nz
hhoffman () ip-solutions net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
*********************************************


-------------------------------------------------
This mail sent through IpSolutions: http://www.ip-solutions.net/

----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core