On Mon, Feb 24, 2003 at 01:27:54PM +1300, Harry Hoffman wrote: >We have just setup ntsyslog from sourceforge.net. Our security policy is to >log events on failure and we have just started seeing the below events. >After talking with the users we are pretty sure that they are not >attempting to access the services. And they don't have accounts on that >system. [...] >Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz >security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: >MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The >error code was: 3221225572 >Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz >security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: >MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The >error code was: 3221225572 Hi Harry, Although I don't exactly know the details about the NT Authentication process, the following document might help to answer your question. https://www.sans.org/rr/win2000/audit_w2k.php Auditing the Windows 2000 Authentication Process Julio Silveira, April 1, 2001 Good luck, Jacco Tunnissen -- http://www.honeypots.net/ Honeypot & IDS Resources ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Mon Feb 24 2003 - 14:04:58 PST