Re: What is VPNz?

From: "Danny Sanders" <DSanders@xxxxxxxxxxxxxxx>
Date: Wed, 24 Jan 2007 15:27:16 -0700

Sounds like someone is using a script to try to log onto your servers using
a clear text password.
They were denied.

Be wary of a logon type 8 that succeeds.

Is the username a good username on your domain?
If so, how did they get it, if it is a hack?
If it is good, check with the user to see if they have some sort of script
running with their username and (a bad) password that would cause this.
Maybe they changed their password on the domain but not in the script.

hth
DDS

"Dan Getz" <DanGetz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BC1FDBF2-983C-46E6-B62A-4702B500E6C8@xxxxxxxxxxxxxxxx

I'm investigating a hacking attempt on our Windows 2003 server. We had 56
bad attempts to guess a user's password. Below is the detail of the
attempt
with the identifiable information removed:

Logon Failure:
Reason: Unknown user name or bad password
User Name: user@xxxxxxxxxxx
Domain: OUR_DOMAIN
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: AUB04
Caller User Name: OUR_SERVER$
Caller Domain: OUR_DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 8224
Transited Services: -
Source Network Address: XXX.XXX.XXX.XXX
Source Port: 1224

Looking up port 1224, it appears to be something called VPNz... what is
VPNz
and what should I do about it? The password has already been changed.

Thanks,
Dan

Prev by Date: for noah: highly terrific news - izya - (1/1)
Next by Date: Re: "User cannot change password" will not stay checked
Previous by thread: for noah: highly terrific news - izya - (1/1)
Next by thread: Re: What is VPNz?
Index(es):
- Date
- Thread

Relevant Pages

Re: Event ID 539 & 529 in large numbers - from what?
... Part of what I meant though, is that <username> could be the name of a user or the name of a machine, when a machine is connecting to the server to get group policies, for example. ... Both the username and the workstation name are legitimate user/workstation on the network. ... Logon Failure: ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: Log students on - Same computers each week - Different usernames
... If it takes half a lesson for a user to log in using their username ... Automating the Enterprise ... So to execute a script, ... I resolved my logon issue with tweakui. ...
(microsoft.public.scripting.vbscript)
Re: Users last logon info from logon script
... I put this line in the users logon script: ... If I run the script manually, it shows the last logon time. ... I guess it is because Windows update the lastlogon attribute once a user ... Then, for each Domain Controller, ADO is used to search the ...
(microsoft.public.security)
Re: slow logon
... in the logon time have been reduced so far. ... update the time for the clients that talk to the dc as the logon server. ... start up script in AD to apply updates to the clients machines which is ...
(microsoft.public.windows.server.active_directory)
Logon Script Causing Laptops To Hang - Problems in script?
... I'm using the following script to map drives, ... functions when users logon to our domain. ... 'Disconnects Drives This assures everyone has the same drive mappings. ... objNetwork.MapNetworkDrive strTrainDrv, strPath ...
(microsoft.public.scripting.vbscript)