Re: Mysterious login failures
From: Steven L Umbach (n9rou_at_attbi.com)
Date: 06/25/03
- Next message: Timboi: "Moving certificates to another server"
- Previous message: EZ: "Reset to previous day"
- In reply to: Shannon Jacobs: "Mysterious login failures"
- Next in thread: Al Yankovich: "Re: Mysterious login failures"
- Reply: Al Yankovich: "Re: Mysterious login failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Jun 2003 03:02:03 GMT
These could possibly just be curious people who see your computer in
Network Places and click it to see if there are any shares available, or
possibly think they are supposed to use your share, etc. When someone does
that, your computer tries to authenticate them and a logon failure shows if
they do not have any account with permissions to resources on your machine.
I would not worry about it unless there are patterns that indicate more than
a few failures from the same user in a short period of time or if you see
someone trying to access the administrator or other accounts that exist on
your machine but are failing because of numerous bad password guesses.
There are also security settings/user rights assignments, that can determine
who can access your computer from the network in Local Security Policy. ---
Steve
"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:u#KP11rODHA.2248@TK2MSFTNGP11.phx.gbl...
> I have a W2KP box in a corporate network. Since enabling the audit log for
> login attempts, I've been seeing a pattern of random failures. It doesn't
> seem to be malicious (most of the time), but I'm curious what it's about.
> There are a number of machines in my section, but only two of them make
> periodic attempts to log into my computer. One of them used to share a
> printer, but that was before he replaced his machine, and I had already
> gotten rid of that printer by that time, and he doesn't have any relevant
> driver installed now, so I can't see any link there. The other one has
never
> had any reason to access my computer as far as I know. There are also some
> attempts coming from neighboring sections, and no reason I know of there.
> Most of them are from people I've never heard of.
>
> Yesterday there was a new one, from another person I've never heard of,
> apparently again looking for his personal account on my machine, where it
> has never existed. The event manager entry gives no useful hints, unless
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0, error code: 3221225572 has some
> ritual significance to someone.
>
> Right now my guess is that these computers have some odd service
installed,
> and they are periodically scanning around, including visiting my machine,
to
> see if my machine is somehow related to their odd service... How to check
> such a thing?
>
- Next message: Timboi: "Moving certificates to another server"
- Previous message: EZ: "Reset to previous day"
- In reply to: Shannon Jacobs: "Mysterious login failures"
- Next in thread: Al Yankovich: "Re: Mysterious login failures"
- Reply: Al Yankovich: "Re: Mysterious login failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
