ChrisH3
asked on
Failure Audit Suspicious Login
Hello Everyone,
Recently on our network our Security Event Logs have been documenting unusual login attempts on our network. For example, the most recent logon attempt was last evening with the login credentials:
User Name: MAIL$
Domain: VIVALIGHTING
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAIL
There are several issues with this logon information. First, we do not have a domain entitled VIVALIGHTING, or a username of MAIL$. Secondly, we have no workstation titled MAIL.
In the past we've had bogus usernames such as SUPERPUMPER2000$ attempting to login as well!
This is all the information the event report is giving us. My initial thought was someone attempting to come inbound on a Wireless Network. But, we have no wireless network so this is not possible. Is there any type of software that could be tripping this? It seems to me that this is a malicious attempt. We are well secured so I'm wondering if a workstation downloaded & executed some type of software.
Recently on our network our Security Event Logs have been documenting unusual login attempts on our network. For example, the most recent logon attempt was last evening with the login credentials:
User Name: MAIL$
Domain: VIVALIGHTING
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAIL
There are several issues with this logon information. First, we do not have a domain entitled VIVALIGHTING, or a username of MAIL$. Secondly, we have no workstation titled MAIL.
In the past we've had bogus usernames such as SUPERPUMPER2000$ attempting to login as well!
This is all the information the event report is giving us. My initial thought was someone attempting to come inbound on a Wireless Network. But, we have no wireless network so this is not possible. Is there any type of software that could be tripping this? It seems to me that this is a malicious attempt. We are well secured so I'm wondering if a workstation downloaded & executed some type of software.
KVR_Solutions
Is there a common time when all of these attempts are happening? If so, use ethereal and watch the traffic to see which machine it occurs from. Typically if it's an outside attack you'll see the IP address that it originated from (or at least claimed to originate from).
It is a malicious attempt, Dig a little deeper in your event ID log, it should give you the source IP address. For starters you can go deny these IP's, it will also give you an idea from looking at the IP if it is a local attack or not. Please take KVR's advice and monitor with ethereal, very powerful program to monitor traffic.
you may also want to setup snort so you can go further into the analysis and capture the traffic.
What OS are you running and is it fully patched?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.