Re: Logon Failure - Where is the culprit IP.

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 12/02/03

• Next message: Karl Levinson [x y] mvp: "Re: We want to really secure terminal services access"
• Previous message: Karl Levinson [x y] mvp: "Re: Windows 2000 server reboot shortly after portscan by lan pc"
• In reply to: IK_at_PS.com: "Logon Failure - Where is the culprit IP."
• Next in thread: IK_at_PS.com: "Re: Logon Failure - Where is the culprit IP."
• Reply: IK_at_PS.com: "Re: Logon Failure - Where is the culprit IP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 2 Dec 2003 07:07:28 -0500

The only way to get the culprit IP is to use a firewall, sniffer or router
logs [possibly with a free syslog client like www.kiwisyslog.com].
www.sygate.com and www.kerio.com are more or less free firewalls. Ethereal
is a free sniffer. You would need to manually try to correlate the IP /
firewall logs with your windows event logs, or you can use a free tool like
NTSYSLOG to spit both logs into one syslog in realtime for easier
correlation.

<IK@PS.com> wrote in message news:#4KueNHuDHA.2440@TK2MSFTNGP12.phx.gbl...
> Hi All,
>
> I am getting 529 Errors multiple times in day on different domain
> controllers. How can I find Which machine or IP Address is the generator
of
> it.
> Event Log Details - Event I 529. Category Logon/Logoff
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: User1
> Domain: Domain1
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: DC1
>
> I tried the Network monitor but could not get anythig of it. I need some
> pointers or help to some documents/procedures/Tools or ideas.
>
> Thanks
> IK
>
>

---

• Next message: Karl Levinson [x y] mvp: "Re: We want to really secure terminal services access"
• Previous message: Karl Levinson [x y] mvp: "Re: Windows 2000 server reboot shortly after portscan by lan pc"
• In reply to: IK_at_PS.com: "Logon Failure - Where is the culprit IP."
• Next in thread: IK_at_PS.com: "Re: Logon Failure - Where is the culprit IP."
• Reply: IK_at_PS.com: "Re: Logon Failure - Where is the culprit IP."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [fw-wiz] Firewall policy generator, capture based - Any idea? ... I want to capture my Data Center traffic, with a NAM or Sniffer. ... Basically a packetflow capture based firewall rules generator. ... Put the firewall in place with a policy that allows all traffic to ... Analyze logs. ... (Firewall-Wizards) Re: [fw-wiz] Firewall policy generator, capture based - Any idea? ... idea what is actually allowed on your network. ... I want to capture my Data Center traffic, with a NAM or Sniffer. ... Basically a packetflow capture based firewall rules generator. ... Analyze logs. ... (Firewall-Wizards) Re: Strange WAN Activity ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ... (microsoft.public.win2000.security) Re: Winvnc hack! [25 KB] ... came in from a service such as IIS that logs IP address. ... Check your IIS ... Some firewall software such as ... You can also use the NETSTAT -A command that comes with Windows to look at ... (microsoft.public.win2000.security) RE: [fw-wiz] Log checking? ... tend to evaluate where and what logging is important in a different light. ... I've been happy to analyze a year's worth of firewall denied logs, ... have denied firewall traffic logs or denied logs with any relevant data. ... (Firewall-Wizards)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)