Re: Suspicious Logon

From: Tim Springston [MSFT] (tspring_at_online.microsoft.com)
Date: 08/25/04 

Date: Wed, 25 Aug 2004 12:20:58 -0500

Hi Johnathan-

The event was probably a user accessing a file via IIS to this remote
machine.

      Logon type 3
     (Network logon)
     is generally for file and print access

across the network. ADVAPI is an API call to LogonUser, so the thought is
that the domain member server named SERVER$ was the source of the event,
trying to authenticate using the credential of "webmaster3". Laura is right
to ask if SERVER$ runs IIS, since IIS commonly uses ADVAPI.

You can verify that it was in fact the IIS on SERVER$ by running TLIST.EXE,
or using TASKMGR.EXE's Proceeses tab and adding the PID (Process ID) column
to associate the PID from you event below (1760) with that specific process.

This may not be a problem if your web page(s) on that server are there on
purpose or are doing tasks that they should be doing. If I wanted to drill
down in this though I would look over my IIS configuration on that machine,
SERVER$, verify the PID is not suspicious, and that there are no trojans on
it. Anti-virus is a good start, but you can further examine the machine's
settings and general health by using MPS Reports (link below) and reviewing
the outputs it generates:

http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

(I suggest using the Directory Services version of MPS Reports).

Please repost if this doesn't help, or you have any follow up questions. 

-- 
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Johnathan" <johnsameurope@yahoo.com.au> wrote in message 
news:41252593@quokka.wn.com.au...
> Yes, but here 'tis again (below) - is that what you mean?  Oh, and yes, 
> the
> server does use IIS.  It is still happening too!
>
> Thanks,
>
> Johnathan.
>
> Source Event ID Last Occurrence Total Occurrences
>>>       Security 529 11/08/2004 12:24 AM 32 *
>>>
>>>
>>>       Logon Failure:
>>>         Reason: Unknown user name or bad password
>>>         User Name: webmaster3
>>>         Domain:
>>>         Logon Type: 3
>>>         Logon Process: Advapi
>>>         Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>>         Workstation Name: SERVER
>>>         Caller User Name: SERVER$
>>>         Caller Domain: INTERNAL
>>>         Caller Logon ID: (0x0,0x3E7)
>>>         Caller Process ID: 1760
>>>         Transited Services: -
>>>         Source Network Address: -
>>>         Source Port: -
>
>
>
> "Laura A. Robinson [MVP]" <geekwench@hotmail.com.snip.this> wrote in 
> message
> news:MPG.1b8ec87ba41b1b9498968e@nn.bloomberg.com...
>> In article <uzwAeJVhEHA.2952@TK2MSFTNGP09.phx.gbl>,
>> tspring@online.microsoft.com says...
>> > Hi Johnathan-
>> >
>> > What were the events you see?  Can you post the descriptions of them,
>> > removing any environment specific things like machine name?
>> >
>> > Also, does this server use IIS?
>> >
>> He posted the event at the bottom of his original post. :-)
>>
>> Laura
>
>
Loading