?
Solved

Failure Audit Suspicious Login

Posted on 2006-11-22
5
Medium Priority
?
308 Views
Last Modified: 2013-12-07
Hello Everyone,

Recently on our network our Security Event Logs have been documenting unusual login attempts on our network. For example, the most recent logon attempt was last evening with the login credentials:

User Name: MAIL$
Domain: VIVALIGHTING
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAIL

There are several issues with this logon information. First, we do not have a domain entitled VIVALIGHTING, or a username of MAIL$. Secondly, we have no workstation titled MAIL.

In the past we've had bogus usernames such as SUPERPUMPER2000$ attempting to login as well!

This is all the information the event report is giving us. My initial thought was someone attempting to come inbound on a Wireless Network. But, we have no wireless network so this is not possible. Is there any type of software that could be tripping this? It seems to me that this is a malicious attempt. We are well secured so I'm wondering if a workstation downloaded & executed some type of software.
0
Comment
Question by:ChrisH3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17996768
Is there a common time when all of these attempts are happening? If so, use ethereal and watch the traffic to see which machine it occurs from. Typically if it's an outside attack you'll see the IP address that it originated from (or at least claimed to originate from).
0
 
LVL 5

Expert Comment

by:darrenakin
ID: 17996823
It is a malicious attempt, Dig a little deeper in your event ID log, it should give you the source IP address. For starters you can go deny these IP's, it will also give you an idea from looking at the IP if it is a local attack or not. Please take KVR's advice and monitor with ethereal, very powerful program to monitor traffic.
0
 
LVL 1

Expert Comment

by:rpone605
ID: 17996964
you may also want to setup snort so you can go further into the analysis and capture the traffic.
0
 
LVL 8

Expert Comment

by:caddlady
ID: 18000201
What OS are you running and is it fully patched?
0
 
LVL 16

Accepted Solution

by:
btassure earned 2000 total points
ID: 18003009
What is your domain? And external IP address?

If someone else has set up their DNS for a live domain incorrectly it could be forwarding logon requests to your DC instead of theirs

e.g.

you have domain.com with some ports available to the internet

joepublic has set up domain.com on his internal network, not realising that his DNS server is sending the request to a root server instead of replying with the internal address of his DC.
client tries to logon but DNS gives him the ip of YOUR domain as the DC and the logon request ends up on your server.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question