Security Incidents mailing list archives
Re: Weird Windows logon attempts
From: H C <keydet89 () yahoo com>
Date: Mon, 24 Feb 2003 03:38:10 -0800 (PST)
Harry, Have you gone back to the boxes and retrieved the actual EventLog entries? There's some info missing from the syslog entry below that may be useful. --- Harry Hoffman <hhoffman () ip-solutions net> wrote:
Hi All, We have just setup ntsyslog from sourceforge.net. Our security policy is to log events on failure and we have just started seeing the below events. After talking with the users we are pretty sure that they are not attempting to access the services. And they don't have accounts on that system. Has anyone seen this? They are 2k/XP boxes. Does Windows 2k/XP automagically try to find out what services are accessible? Any insight would be great. The username has been changed to USERNAME to protect, the hopefully, innocent. Thanks, Harry Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The error code was: 3221225572 Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The error code was: 3221225572 -- Harry Hoffman ITSS Systems Team Leader University of Auckland hhoffman () auckland ac nz hhoffman () ip-solutions net STANDARD DISCLAIMER: ********************************************** *This universe shipped by weight, not volume.* *Some expansion may have occured in shipping.* ********************************************* ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/
----------------------------------------------------------------------------
Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Weird Windows logon attempts Harry Hoffman (Feb 23)
- Re: Weird Windows logon attempts Jacco Tunnissen (Feb 24)
- Re: Weird Windows logon attempts H C (Feb 25)
- Re: Weird Windows logon attempts Russell Fulton (Feb 26)
- RE: Weird Windows logon attempts Mary McAllister (Feb 26)
- Re: Weird Windows logon attempts Russell Fulton (Feb 26)
- <Possible follow-ups>
- Re: Weird Windows logon attempts Bojan Zdrnja (Feb 24)
- RE: Weird Windows logon attempts Terence Runge (Feb 24)