RE: Weird Windows logon attempts
From: Terence Runge (Terence.Runge@veritas.com)
Date: 02/24/03
- Previous message: Bojan Zdrnja: "Re: Weird Windows logon attempts"
- Maybe in reply to: Harry Hoffman: "Weird Windows logon attempts"
- Next in thread: H C: "Re: Weird Windows logon attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Terence Runge <Terence.Runge@veritas.com> To: 'Harry Hoffman' <hhoffman@ip-solutions.net>, incidents@securityfocus.org Date: Sun, 23 Feb 2003 23:00:50 -0800
I have seen this pattern on repeat occasions and is indicative of virus
activity, most recently seen as W32.ELKERN. Take a look at the virus
protection on the Windows systems, make sure it updated and running. Run a
full scan while there, it is a good starting point.
-----Original Message-----
From: Harry Hoffman [mailto:hhoffman@ip-solutions.net]
Sent: Sunday, February 23, 2003 4:28 PM
To: incidents@securityfocus.org
Subject: Weird Windows logon attempts
Hi All,
We have just setup ntsyslog from sourceforge.net. Our security policy is to
log
events on failure and we have just started seeing the below events. After
talking with the users we are pretty sure that they are not attempting to
access
the services. And they don't have accounts on that system.
Has anyone seen this? They are 2k/XP boxes. Does Windows 2k/XP automagically
try
to find out what services are accessible?
Any insight would be great.
The username has been changed to USERNAME to protect, the hopefully,
innocent.
Thanks,
Harry
Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME
by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed.
The
error code was: 3221225572
Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME
by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed.
The
error code was: 3221225572
-- Harry Hoffman ITSS Systems Team Leader University of Auckland hhoffman@auckland.ac.nz hhoffman@ip-solutions.net STANDARD DISCLAIMER: ********************************************** *This universe shipped by weight, not volume.* *Some expansion may have occured in shipping.* ********************************************* ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/ ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Next message: Dan Harpold: "Web server crashed, now is trying to contact an IP by port 80 every morning."
- Previous message: Bojan Zdrnja: "Re: Weird Windows logon attempts"
- Maybe in reply to: Harry Hoffman: "Weird Windows logon attempts"
- Next in thread: H C: "Re: Weird Windows logon attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
