Security Incidents mailing list archives

Re: Weird Windows logon attempts

From: Bojan Zdrnja <bojan.zdrnja () lss hr>
Date: Mon, 24 Feb 2003 10:07:55 +0100

Hi All,

We have just setup ntsyslog from sourceforge.net. Our security policy is to log
events on failure and we have just started seeing the below events. After
talking with the users we are pretty sure that they are not attempting to access
the services. And they don't have accounts on that system.


You should see same logs in your server's event log.

Has anyone seen this? They are 2k/XP boxes. Does Windows 2k/XP automagically try
to find out what services are accessible?
Any insight would be great.


Can you maybe confirm that problem is happening only when users work on
Windows XP boxes ?

Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: USERNAME  by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: G731-220-4  failed. The
error code was: 3221225572


<You probably knew this>
This indicates that even 681 occured (failed logon attempt).
Error code was 3221225572, which translated in hexadecimal is 0xC0000064:
User logon with misspeled or bad user account (this confirms user don't have
account on target machine).
</You probably knew this>

Basically, you should check on both machines (server and client here) what's
happening.

I had similar problem, but only with Windows XP machines.
Solution was to switch off the setting in the Explorer for Automatic discovery
of network folders and shares.
(Tools->Folder Options->View->Advanced).
If this is not switched off, when user clicks on My Network places, his
computer tries to get shared resources list of all computers on the LAN.

Other problem with this, besides it's filling your logs on servers, is that
if you have some Pre-Win2K machines on the network, XP will transmit it's
password to those machines as well. It will transmit LM hash which is weak.
You can disable Windows XP generating LM hash by modifying following
registry key:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash

it's value should be set to 1 (REG_DWORD).
More info about this at: http://www.sans.org/top20/#W6


Best regards,

Bojan Zdrnja

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Weird Windows logon attempts Harry Hoffman (Feb 23)
- Re: Weird Windows logon attempts Jacco Tunnissen (Feb 24)
- Re: Weird Windows logon attempts H C (Feb 25)
  - Re: Weird Windows logon attempts Russell Fulton (Feb 26)
    - RE: Weird Windows logon attempts Mary McAllister (Feb 26)
- <Possible follow-ups>
- Re: Weird Windows logon attempts Bojan Zdrnja (Feb 24)
- RE: Weird Windows logon attempts Terence Runge (Feb 24)