Failure Audit Suspicious Login

Posted on 2006-11-22
Medium Priority
Last Modified: 2013-12-07
Hello Everyone,

Recently on our network our Security Event Logs have been documenting unusual login attempts on our network. For example, the most recent logon attempt was last evening with the login credentials:

User Name: MAIL$
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAIL

There are several issues with this logon information. First, we do not have a domain entitled VIVALIGHTING, or a username of MAIL$. Secondly, we have no workstation titled MAIL.

In the past we've had bogus usernames such as SUPERPUMPER2000$ attempting to login as well!

This is all the information the event report is giving us. My initial thought was someone attempting to come inbound on a Wireless Network. But, we have no wireless network so this is not possible. Is there any type of software that could be tripping this? It seems to me that this is a malicious attempt. We are well secured so I'm wondering if a workstation downloaded & executed some type of software.
Question by:ChrisH3

Expert Comment

ID: 17996768
Is there a common time when all of these attempts are happening? If so, use ethereal and watch the traffic to see which machine it occurs from. Typically if it's an outside attack you'll see the IP address that it originated from (or at least claimed to originate from).

Expert Comment

ID: 17996823
It is a malicious attempt, Dig a little deeper in your event ID log, it should give you the source IP address. For starters you can go deny these IP's, it will also give you an idea from looking at the IP if it is a local attack or not. Please take KVR's advice and monitor with ethereal, very powerful program to monitor traffic.

Expert Comment

ID: 17996964
you may also want to setup snort so you can go further into the analysis and capture the traffic.

Expert Comment

ID: 18000201
What OS are you running and is it fully patched?
LVL 16

Accepted Solution

btassure earned 2000 total points
ID: 18003009
What is your domain? And external IP address?

If someone else has set up their DNS for a live domain incorrectly it could be forwarding logon requests to your DC instead of theirs


you have domain.com with some ports available to the internet

joepublic has set up domain.com on his internal network, not realising that his DNS server is sending the request to a root server instead of replying with the internal address of his DC.
client tries to logon but DNS gives him the ip of YOUR domain as the DC and the logon request ends up on your server.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

586 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question