RE: How do I tell if an attack is from an internal or external source
From: Christopher McGill (ChristopherMcGill_at_discussions.microsoft.com)
Date: 04/01/05
- Next message: Warner_at_nospam.postalias: "Logon Inactivity"
- Previous message: Jacknov75: "Kerberos enforced in W2k/NT4 environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Mar 2005 15:35:02 -0800
Are they always try to hit the same point? I would run a sniffer and cature
what they are actually trying to a achieve, are they running exploit code
password grinding. I would for the minute try to isolate the target if
possible as much as possible, and remove or encryt any vital information from
it, you need to determine who is trying to do it and from where. Also, you
should be imlementing Endpoint security in your VPNs. Look at Check Point
SecureCLient and ZA Integrity
"Steve Everington" wrote:
> Hello
>
> I have been getting a series of (a few hundred) failed login attempts in the
> early hours of the morning (a series of 529 & 681 login failure security
> events). The 529 entry has a login in type of 3, which I believe is a
> network login and the workstation name is the server's name.
>
> Is there a way of telling whether the events are being caused by attempted
> logins on my VPN or by a trojan/virus running on my server or some other
> source?
>
> Thanks
>
> Steve Everington
>
>
>
- Next message: Warner_at_nospam.postalias: "Logon Inactivity"
- Previous message: Jacknov75: "Kerberos enforced in W2k/NT4 environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
