Re: Attempted hacking from machines not in my domain
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/13/05
- Previous message: Steven L Umbach: "Re: Delegate permission to restart a service?"
- In reply to: Chris L: "Attempted hacking from machines not in my domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 12 May 2005 20:36:52 -0500
It could possibly be unathorized computers on your network and they may be
firewalled to be prevented from being pinged or showing in Network Places.
Using netlogon logging could check for that possibility in case they are
trying to access computers in your domain. More than likely it is someone
attempting to access your IIS server and it may help to enable auditing of
logon events on those servers to see what the security logs show. The IIS
logs or your firewall logs may help in finding the culprits if you correlate
those logs to the times of the account logon failures. If the IPs are found
you could create specific firewall rules to block there access from those
IPs. --- Steve
"Chris L" <socalcl2003@yahoo.com> wrote in message
news:Xns96539DDE9D711socalcl2003yahoocom@140.99.99.130...
> I'm seeing some hacking attempts and other mysterious login failures on
> my domain controller from machines that do not appear on my domain.
>
>
> 5/9/2005 3:50:55 PM Security Success Audit Account Management
> 644 NT AUTHORITY\SYSTEM SANDC "User Account Locked Out:
> Target Account Name: Administrator
> Target Account ID: TECH\Administrator
> Caller Machine Name: ADMIN-D1C8RJEOH
> Caller User Name: SANDC$
> Caller Domain: TECH
> Caller Logon ID: (0x0,0x3E7)
>
> At the same time the hacking is occuring, I can't ping that workstation.
> Also, on a daily basis other mystery workstations show up in the security
> log as well trying to login as either "administrator" or "guest".
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 680
> Date: 5/11/2005
> Time: 11:29:10 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SANDC
> Description:
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: Guest
> Source Workstation: TAMESHA-Q06Q7LW
> Error Code: 0xC0000234
>
>
> A few things... yes I have a firewall, no netbios isn't open to any
> server behind the firewall. I can duplicate the error messages by trying
> to hit one of my IIS servers that require authentication and providing
> the incorrect credentials.
>
> Now, since the workstation name is useless, is there anyway to get the IP
> address from the domain controller. I have sniffer logs from both netmon
> and Iris traffic analyzer, but I can't locate any of the entries where
> the above messages would be sent to the domain controller. I think the
> 680 messages are sent encrypted across the wire.
>
>
> Thanks for any advice...
>
- Previous message: Steven L Umbach: "Re: Delegate permission to restart a service?"
- In reply to: Chris L: "Attempted hacking from machines not in my domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
