• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

Failure Audit Suspicious Login

Hello Everyone,

Recently on our network our Security Event Logs have been documenting unusual login attempts on our network. For example, the most recent logon attempt was last evening with the login credentials:

User Name: MAIL$
Domain: VIVALIGHTING
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAIL

There are several issues with this logon information. First, we do not have a domain entitled VIVALIGHTING, or a username of MAIL$. Secondly, we have no workstation titled MAIL.

In the past we've had bogus usernames such as SUPERPUMPER2000$ attempting to login as well!

This is all the information the event report is giving us. My initial thought was someone attempting to come inbound on a Wireless Network. But, we have no wireless network so this is not possible. Is there any type of software that could be tripping this? It seems to me that this is a malicious attempt. We are well secured so I'm wondering if a workstation downloaded & executed some type of software.
0
ChrisH3
Asked:
ChrisH3
1 Solution
 
KVR_SolutionsCommented:
Is there a common time when all of these attempts are happening? If so, use ethereal and watch the traffic to see which machine it occurs from. Typically if it's an outside attack you'll see the IP address that it originated from (or at least claimed to originate from).
0
 
darrenakinCommented:
It is a malicious attempt, Dig a little deeper in your event ID log, it should give you the source IP address. For starters you can go deny these IP's, it will also give you an idea from looking at the IP if it is a local attack or not. Please take KVR's advice and monitor with ethereal, very powerful program to monitor traffic.
0
 
rpone605Commented:
you may also want to setup snort so you can go further into the analysis and capture the traffic.
0
 
caddladyCommented:
What OS are you running and is it fully patched?
0
 
btassureCommented:
What is your domain? And external IP address?

If someone else has set up their DNS for a live domain incorrectly it could be forwarding logon requests to your DC instead of theirs

e.g.

you have domain.com with some ports available to the internet

joepublic has set up domain.com on his internal network, not realising that his DNS server is sending the request to a root server instead of replying with the internal address of his DC.
client tries to logon but DNS gives him the ip of YOUR domain as the DC and the logon request ends up on your server.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now