| Author |
Message |
R. Troy MacVay
Guest
|
 Posted:
Fri Dec 31, 2004 10:07 pm Post subject:
Questionable Failed Logon Events |
|
|
We have a SBS 2003 Server and I am seeing some strange logon failures in the
Security log. What bothers me is that they appear to be coming from inside
the network. This is a small network and these events are happening over
Christmas as well when I know there is no one in the office.
If anyone can shed some light on this I would greatly appreciate it. Here
are the details:
The attempts are just guessing at account names such as Test, Webmaster,
Admin We normaly see these type of events for people trying to log in to OWA
but when I do a test to replicate, I get a different set of log events.
Here are the events:
Event 680
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: webmaster
Source Workstation: (MyServer)
Error Code: 0xC0000064
Event 529
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: (MyServer)
Caller User Name: (MyServer)$
Caller Domain: pbfrasernet
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7636
Transited Services: -
Source Network Address: -
Source Port: -
Where are these attempts comign from? From the logon type it appears that
they are coming from inside the network.
Can someone help?
Thanks in Advance |
|
| Back to top |
|
 |
Roger Abell
Guest
|
| Posted:
Fri Dec 31, 2004 10:45 pm Post subject:
Re: Questionable Failed Logon Events |
|
|
It is likely that the system is being probed for weak account
passwords with a guessed list of account names. There are
any number of tools that do or include this, such as Nessus
on the more valued tool end of the spectrum.
You should determine from where these arise, the internal
or external network, and if internal from which machine.
If your place is small enough you could even do this by
selective unplugging of network wires, as when I have seen
these probes they can continue for a fairly long time.
The upside is that this usually means that you do have
null enumeration successfully shut off, else the attempts
would be with accounts that do exist.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"R. Troy MacVay" <R. Troy MacVay@discussions.microsoft.com> wrote in message
news:8C587863-3886-47E2-A09A-8775C166B26C@microsoft.com...
| Quote: | We have a SBS 2003 Server and I am seeing some strange logon failures in
the
Security log. What bothers me is that they appear to be coming from
inside
the network. This is a small network and these events are happening over
Christmas as well when I know there is no one in the office.
If anyone can shed some light on this I would greatly appreciate it. Here
are the details:
The attempts are just guessing at account names such as Test, Webmaster,
Admin We normaly see these type of events for people trying to log in to
OWA
but when I do a test to replicate, I get a different set of log events.
Here are the events:
Event 680
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: webmaster
Source Workstation: (MyServer)
Error Code: 0xC0000064
Event 529
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: (MyServer)
Caller User Name: (MyServer)$
Caller Domain: pbfrasernet
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7636
Transited Services: -
Source Network Address: -
Source Port: -
Where are these attempts comign from? From the logon type it appears that
they are coming from inside the network.
Can someone help?
Thanks in Advance |
|
|
| Back to top |
|
|
Marina Roos [SBS-MVP]
Guest
|
| Posted:
Sat Jan 01, 2005 12:31 am Post subject:
Re: Questionable Failed Logon Events |
|
|
Hi R,
Those are SMTP attacks. Make sure you use strong passwords.
--
Regards,
Marina
Microsoft SBS-MVP
One of the Magical M&M's
"R. Troy MacVay" <R. Troy MacVay@discussions.microsoft.com> schreef in
bericht news:8C587863-3886-47E2-A09A-8775C166B26C@microsoft.com...
| Quote: | We have a SBS 2003 Server and I am seeing some strange logon failures in
the
Security log. What bothers me is that they appear to be coming from
inside
the network. This is a small network and these events are happening over
Christmas as well when I know there is no one in the office.
If anyone can shed some light on this I would greatly appreciate it. Here
are the details:
The attempts are just guessing at account names such as Test, Webmaster,
Admin We normaly see these type of events for people trying to log in to
OWA
but when I do a test to replicate, I get a different set of log events.
Here are the events:
Event 680
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: webmaster
Source Workstation: (MyServer)
Error Code: 0xC0000064
Event 529
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: (MyServer)
Caller User Name: (MyServer)$
Caller Domain: pbfrasernet
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7636
Transited Services: -
Source Network Address: -
Source Port: -
Where are these attempts comign from? From the logon type it appears that
they are coming from inside the network.
Can someone help?
Thanks in Advance |
|
|
| Back to top |
|
|
R. Troy MacVay
Guest
|
| Posted:
Sat Jan 01, 2005 2:41 am Post subject:
RE: Questionable Failed Logon Events |
|
|
Thank you for the reponses.
Marina,
You gave me the answer I needed. I could not tell how these attempts were
being made as the Logon Type was 3 so it appeared that they were local
attempts at the box itself. I have tested using Outlook with a bum account
to send mail to this server to see if it would log the same events and it
does.
I see now that they are coming from the outside so that is all that I need
to know. The passwords are secure.
Thank-you for your help.
Cheers,
R. Troy MacVay
"R. Troy MacVay" wrote:
| Quote: | We have a SBS 2003 Server and I am seeing some strange logon failures in the
Security log. What bothers me is that they appear to be coming from inside
the network. This is a small network and these events are happening over
Christmas as well when I know there is no one in the office.
If anyone can shed some light on this I would greatly appreciate it. Here
are the details:
The attempts are just guessing at account names such as Test, Webmaster,
Admin We normaly see these type of events for people trying to log in to OWA
but when I do a test to replicate, I get a different set of log events.
Here are the events:
Event 680
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: webmaster
Source Workstation: (MyServer)
Error Code: 0xC0000064
Event 529
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: (MyServer)
Caller User Name: (MyServer)$
Caller Domain: pbfrasernet
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7636
Transited Services: -
Source Network Address: -
Source Port: -
Where are these attempts comign from? From the logon type it appears that
they are coming from inside the network.
Can someone help?
Thanks in Advance |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in