Re: Mysterious login failures
From: Steven L Umbach (n9rou_at_nsattbi.com)
Date: 06/28/03
- Previous message: Steven L Umbach: "Re: Access problem"
- In reply to: Al Yankovich: "Re: Mysterious login failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 28 Jun 2003 03:31:22 GMT
Response inline.---
"Al Yankovich" <weirdwiredw@hotmail.com> wrote in message
news:3037ed3c.0306271732.9b8fd99@posting.google.com...
> "Steven L Umbach" <n9rou@attbi.com> wrote in message
news:<Lg8Ka.10661$R73.2779@sccrnsc04>...
> > These could possibly just be curious people who see your computer in
> > Network Places and click it to see if there are any shares available, or
> > possibly think they are supposed to use your share, etc. When someone
does
> > that, your computer tries to authenticate them and a logon failure shows
if
> > they do not have any account with permissions to resources on your
machine.
> > I would not worry about it unless there are patterns that indicate more
than
> > a few failures from the same user in a short period of time or if you
see
> > someone trying to access the administrator or other accounts that exist
on
> > your machine but are failing because of numerous bad password guesses.
> > There are also security settings/user rights assignments, that can
determine
> > who can access your computer from the network in Local Security
Policy. ---
> > Steve
> <snip>
>
It is hard to say what it could be from what you have said so far.
Maybe someone still has your printer as being available to them - ask if you
can view their event logs for errors. One thing to try would be to enable
auditing of process tracking on one of the "probing" computers and making
sure that it was synched to yours as far as time. Then you could examine the
security even log on the "probing" computer and correlate by time the failed
log on events to your computer from that computer to try to see what
executable or service is causing the problem. Of course there could be
thousands of events generated by process tracking.
Another more plausible thing to try would be to put a personal firewall
on your computer that can log traffic. Sygate Pro is good for that and it
can be downloaded and tried for free. You could configure it to "allow" all
traffic, so as not to interfere with your networking, but it still would log
traffic. Then you would have more information about what kind of traffic
those computers are sending you. If you want to create rules, then you could
have much more detailed logs such as packet logs. --- Steve
> I can rule out the "curious people" possibility since I have spoken to
> some of the people whose computers are trying to log into my computer,
> and they are not doing anything of the sort.
>
> That seems to leave two possibilities. One is some kind of normal W2K
> activity that results in failed logins. The main evidence against that
> would be that at least one of the probes is coming from someone in a
> completely different workgroup. If it was normal Windows behavior that
> spans workgroups, it seems I should be receiving probes from all of
> the other workgroups, and that includes far more computers than in my
> own workgroup. However, most of the failed logins (probes?) are coming
> from the small number of computers within my workgroup (but only
> certain ones).
>
> The other possibility is some kind of network worm or virus. If so, it
> is a very low activity one, and in that case it might be something
> that is trying to exploit the locality of corporate networks. For
> example, though I'm not sharing any resources now, in the past I have
> shared a printer, and for that purpose I created some accounts on my
> machine with the names of other users within my workgroup. It might be
> looking for such accounts with the intent to do something more
> isidious with them.
- Previous message: Steven L Umbach: "Re: Access problem"
- In reply to: Al Yankovich: "Re: Mysterious login failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
