Re: Hack or not? - Unknown User Name and logon attempt

From: Ed Thurber (user_at_mail.com)
Date: 05/08/03 

Date: Thu, 8 May 2003 09:29:33 -0400

I have seen this when a user log's in with a local account on a PC that is
part of the domain. For some reason the machine (ROSCO1$) has problems
validating with the domain.

"Jann" <jann@dial.pipex.com> wrote in message
news:%23amKHDPFDHA.2288@TK2MSFTNGP12.phx.gbl...
> Have been toothcombing the event logs following the hacking attempt (see
> previous post) and have found what seems to be a Security log event which
> may/may not be alarming - could anyone help on this one?
>
> After the business closed, I see at 18h30 the following events in the
> Security log:
>
> (and what worries me is there is no Workstation 'ROSCO1' on the premises,
or
> a user a/c by that name)
>
> EvId 681 - Account logon Failure, User NT Authority System
>
> "The logon to account: ROSCO1$
>
> by MICROSOFT AUTHENTICATION PACKAGE V1_0
>
> from Workstation: ROSCO1 failed
>
> The error code was: 3221225572"
>
> then
>
> EvID 529 - Unknown User Name or Bad P/w
>
> User name: ROSCO1$
>
> Domain: ROSCO (nb NOT our domain name)
>
> Logon Type: 3....
>
> Any idea what the heck is going on? (I'm sure I've never seen this kind of
> thing before)
>
> Thanks
>
>

Relevant Pages