Massimo Piceni
Guest
|
 Posted:
Mon Jan 17, 2005 5:39 pm Post subject:
RE: Am I seeing an attempted security breach? |
|
|
Hi Daren,
Sounds more as a service or scheduled task that's trying to do something
with bad credentials. Check if there're scheduled task at 13:30. Check also
if you have any service that starts with specific user credentials rather
than with system account.
You can also take a look what process is the one indicated by Caller Process
ID (but you need to do at 13:33, or you'll get a bad indication). You can
monitor process creation/deletion with PMon
(http://www.sysinternals.com/ntw2k/freeware/pmon.shtml)
Hope this will be useful.
Massimo.
"Daren Addison" wrote:
| Quote: | I have posted below the event that concerns me.
I have this message logged daily over the past week (as far back as I have
checked so far). The strange thing is that the time stamp is identical
everyday,
at 13:33.
Logon Failure:
Reason: Unknown user name or bad password
User Name: <myname
Domain: <domain name
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: <sbs server
Caller User Name: <server name$
Caller Domain: <domain name
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1292
Transited Services: -
Source Network Address: -
Source Port: -
Any advice would be welcomed.
Running SBS2003 std. Using Intelligent Gateway 1800 office portal, which has
built in firewall. Using NAT config.
Server has 2NICs.
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in