Re: Failed audits on administrative accouts
From: Dmitrii S. Zakharov [MSFT] (dmitriiz_at_online.microsoft.com)
Date: 04/24/04
- Previous message: Jonathan Maltz [MS-MVP]: "Re: Product Support Services - MALICIOUS ACTIVITY RELATING TO MS04-011"
- In reply to: Marc: "Failed audits on administrative accouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Apr 2004 16:29:09 -0700
127.0.0.1 is a well know IP for localhost
(i.e. the source is the same machine)
"Marc" <Marc@nospam.com> wrote in message
news:eBaKw0GKEHA.2692@tk2msftngp13.phx.gbl...
> Hi
>
> I have been seeing failed audits on Administrative accounts, Account
> lockouts and success audits by the Administrator account in areas of the
> system where the Administrators have no access (Executive Folders). The
> source computers listed in the event logs are the servers thenselves but
> the IP Adress listed is 127.0.0.1 for all the servers and NOT server's
> actual Ip Address.
>
> Has someone remotely hacked into the system?
>
> Regards
>
> Logon Failure:
>
> Reason: Unknown user name or bad
password
>
> User Name: srvs1
>
> Domain: CO_NAME
>
> Logon Type: 2
>
> Logon Process: User32
>
> Authentication Package: Negotiate
>
> Workstation Name: DC1
>
> Caller User Name: DC1$
>
> Caller Domain: CO_DOMAIN
>
> Caller Logon ID: (0x0,0x3E7)
>
> Caller Process ID: 552
>
> Transited Services: -
>
> Source Network Address: 127.0.0.1
>
> Source Port: 0
>
>
- Previous message: Jonathan Maltz [MS-MVP]: "Re: Product Support Services - MALICIOUS ACTIVITY RELATING TO MS04-011"
- In reply to: Marc: "Failed audits on administrative accouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
