Solved

Failure Audit Suspicious Login

Posted on 2006-11-22
5
307 Views
Last Modified: 2013-12-07
Hello Everyone,

Recently on our network our Security Event Logs have been documenting unusual login attempts on our network. For example, the most recent logon attempt was last evening with the login credentials:

User Name: MAIL$
Domain: VIVALIGHTING
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAIL

There are several issues with this logon information. First, we do not have a domain entitled VIVALIGHTING, or a username of MAIL$. Secondly, we have no workstation titled MAIL.

In the past we've had bogus usernames such as SUPERPUMPER2000$ attempting to login as well!

This is all the information the event report is giving us. My initial thought was someone attempting to come inbound on a Wireless Network. But, we have no wireless network so this is not possible. Is there any type of software that could be tripping this? It seems to me that this is a malicious attempt. We are well secured so I'm wondering if a workstation downloaded & executed some type of software.
0
Comment
Question by:ChrisH3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17996768
Is there a common time when all of these attempts are happening? If so, use ethereal and watch the traffic to see which machine it occurs from. Typically if it's an outside attack you'll see the IP address that it originated from (or at least claimed to originate from).
0
 
LVL 5

Expert Comment

by:darrenakin
ID: 17996823
It is a malicious attempt, Dig a little deeper in your event ID log, it should give you the source IP address. For starters you can go deny these IP's, it will also give you an idea from looking at the IP if it is a local attack or not. Please take KVR's advice and monitor with ethereal, very powerful program to monitor traffic.
0
 
LVL 1

Expert Comment

by:rpone605
ID: 17996964
you may also want to setup snort so you can go further into the analysis and capture the traffic.
0
 
LVL 8

Expert Comment

by:caddlady
ID: 18000201
What OS are you running and is it fully patched?
0
 
LVL 16

Accepted Solution

by:
btassure earned 500 total points
ID: 18003009
What is your domain? And external IP address?

If someone else has set up their DNS for a live domain incorrectly it could be forwarding logon requests to your DC instead of theirs

e.g.

you have domain.com with some ports available to the internet

joepublic has set up domain.com on his internal network, not realising that his DNS server is sending the request to a root server instead of replying with the internal address of his DC.
client tries to logon but DNS gives him the ip of YOUR domain as the DC and the logon request ends up on your server.
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question