tom12ga
asked on
Is this an attack or is it just some buggy software? And how do I find out what it is?
I checked our server (Windows 2003 Small Business Server) security event logs and found quite a few failure/audits that have been going on for a while (I don't know how long cause I just got here). Every few hours some "system" process tries to login in on various ports.
Here's a typical entry (the only difference is that it only shows one port so I added the ports mentioned for the next several entries.
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC0000133
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.3.1.115
Source Port: 0
Source Port: 2279
Source Port: 2278
Source Port: 2277
Source Port: 2276
Source Port: 2273
The "Source Network Address" is not on any computer that I can find but may be coming through our firewall from the providers of the database application that serves the various chemists who work here. I just wanted to see what you all think before I make a fool of myself with the provider. Anyone know what this might be.
Thanks for any help
Here's a typical entry (the only difference is that it only shows one port so I added the ports mentioned for the next several entries.
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC0000133
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.3.1.115
Source Port: 0
Source Port: 2279
Source Port: 2278
Source Port: 2277
Source Port: 2276
Source Port: 2273
The "Source Network Address" is not on any computer that I can find but may be coming through our firewall from the providers of the database application that serves the various chemists who work here. I just wanted to see what you all think before I make a fool of myself with the provider. Anyone know what this might be.
Thanks for any help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, the numbers on the network are in the private range, however, the 10.10.10.115 is out of the other 10 computers (which are numbered up to about .18. I will check around - but please be patient about my leaving this open. I don't go back until next Tuesday. After I check it out I will assign the credit. (I believe the mdiglio is right on the money and that this will turn out to be affects of the database applications running insided the lab.
1) click this link "go.microsoft.com/fwlink/e
2) use TRACERT 10.3.1.115 command to see where is the strange IP from if possible.
please let us know the results.
regards,
bbao