Solved

Failure Audit Suspicious Login

Posted on 2006-11-22
5
303 Views
Last Modified: 2013-12-07
Hello Everyone,

Recently on our network our Security Event Logs have been documenting unusual login attempts on our network. For example, the most recent logon attempt was last evening with the login credentials:

User Name: MAIL$
Domain: VIVALIGHTING
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAIL

There are several issues with this logon information. First, we do not have a domain entitled VIVALIGHTING, or a username of MAIL$. Secondly, we have no workstation titled MAIL.

In the past we've had bogus usernames such as SUPERPUMPER2000$ attempting to login as well!

This is all the information the event report is giving us. My initial thought was someone attempting to come inbound on a Wireless Network. But, we have no wireless network so this is not possible. Is there any type of software that could be tripping this? It seems to me that this is a malicious attempt. We are well secured so I'm wondering if a workstation downloaded & executed some type of software.
0
Comment
Question by:ChrisH3
5 Comments
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17996768
Is there a common time when all of these attempts are happening? If so, use ethereal and watch the traffic to see which machine it occurs from. Typically if it's an outside attack you'll see the IP address that it originated from (or at least claimed to originate from).
0
 
LVL 5

Expert Comment

by:darrenakin
ID: 17996823
It is a malicious attempt, Dig a little deeper in your event ID log, it should give you the source IP address. For starters you can go deny these IP's, it will also give you an idea from looking at the IP if it is a local attack or not. Please take KVR's advice and monitor with ethereal, very powerful program to monitor traffic.
0
 
LVL 1

Expert Comment

by:rpone605
ID: 17996964
you may also want to setup snort so you can go further into the analysis and capture the traffic.
0
 
LVL 8

Expert Comment

by:caddlady
ID: 18000201
What OS are you running and is it fully patched?
0
 
LVL 16

Accepted Solution

by:
btassure earned 500 total points
ID: 18003009
What is your domain? And external IP address?

If someone else has set up their DNS for a live domain incorrectly it could be forwarding logon requests to your DC instead of theirs

e.g.

you have domain.com with some ports available to the internet

joepublic has set up domain.com on his internal network, not realising that his DNS server is sending the request to a root server instead of replying with the internal address of his DC.
client tries to logon but DNS gives him the ip of YOUR domain as the DC and the logon request ends up on your server.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question