Security Incidents mailing list archives

Re: Weird Windows logon attempts

From: H C <keydet89 () yahoo com>
Date: Mon, 24 Feb 2003 03:38:10 -0800 (PST)

Harry,

Have you gone back to the boxes and retrieved the
actual EventLog entries?  There's some info missing
from the syslog entry below that may be useful.


--- Harry Hoffman <hhoffman () ip-solutions net> wrote:

Hi All,

We have just setup ntsyslog from sourceforge.net.
Our security policy is to log
events on failure and we have just started seeing
the below events. After
talking with the users we are pretty sure that they
are not attempting to access
the services. And they don't have accounts on that
system.

Has anyone seen this? They are 2k/XP boxes. Does
Windows 2k/XP automagically try
to find out what services are accessible?
Any insight would be great.

The username has been changed to USERNAME to
protect, the hopefully, innocent.

Thanks,
Harry


Feb 22 13:27:49
exchange.auckland.ac.nz/exchange.auckland.ac.nz
security[failure] 681 NT AUTHORITY\SYSTEM  The logon
to account: USERNAME  by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from
workstation: G731-220-4  failed. The
error code was: 3221225572  
Feb 22 13:27:49
exchange.auckland.ac.nz/exchange.auckland.ac.nz
security[failure] 681 NT AUTHORITY\SYSTEM  The logon
to account: USERNAME  by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from
workstation: G731-220-4  failed. The
error code was: 3221225572  


-- 
Harry Hoffman
ITSS Systems Team Leader
University of Auckland
hhoffman () auckland ac nz
hhoffman () ip-solutions net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
*********************************************


-------------------------------------------------
This mail sent through IpSolutions:
http://www.ip-solutions.net/

----------------------------------------------------------------------------


Do you know the base address of the Global Offset
Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Weird Windows logon attempts Harry Hoffman (Feb 23)
- Re: Weird Windows logon attempts Jacco Tunnissen (Feb 24)
- Re: Weird Windows logon attempts H C (Feb 25)
  - Re: Weird Windows logon attempts Russell Fulton (Feb 26)
    - RE: Weird Windows logon attempts Mary McAllister (Feb 26)
- <Possible follow-ups>
- Re: Weird Windows logon attempts Bojan Zdrnja (Feb 24)
- RE: Weird Windows logon attempts Terence Runge (Feb 24)