Ana; I have noted you received several good responses to your initial query (see below) that you sent out late March. If your MS network is in fact open to the internet without some level screening, those suggestions are likely bang on. However, if your network is screened and the MS aspects are not directly exposed, I might suggest one other possible (perhaps less malicious) source for your noted login attempts. I have noted, with interest, similar aspects on my own network (which I should say is heavily screened and MS traffic is dropped at the firewalls....). In addition, I am not sure of the architecture of your network and whether it is a pure MS/NT environment or whether there are other "aspects" that are "MS compatible" but not true MS products. SAN appliances and Linux/Unix boxes running SAMBA (or the similar SUN PCNetlink) have a tendency to continually hammer away at the PDC using a list of all users (past and current) that have logged into those boxes/servers. It usually shows up in the logs as attempts every second or few seconds depending on the number of installs/appliances, the number of users, and various other factors. They generally show up as failures in all cases. Initially, I thought this was a security issue so I did some digging tracking down the traffic. I found it was a SAN appliance I was using for offline storage. I went to task with the manufacturer of the SAN appliance. The devices was continually hammering away at our PDC with a wide list of old and current users with each one failing. The manufacturer tech acknowledged the issue as an aspect of the version of Uni*/Linu* they were running along with the Samba tool that made it plug-and-play in a MS environment. Obviously, I have since removed the box (it had a number of issues in addition to this one....) but I have seen very similar traffic with both Linux/Samba and Solaris/PCNetlink installs on my network. Not sure if any of these devices/OS's/tools are on your network but this may give you one other source to check out. HTH. Russell -----Original Message----- From: A. Naveira [mailto:anaveiraat_private] Sent: Monday, March 31, 2003 3:37 PM To: incidentsat_private Cc: intrusionsat_private Subject: Logon/Logoff Failure Events I recently implemented the account lockout policy on my NT4 PDC (all my clients authenticate to this server) and encountered the following events in my security event log: 1.User accounts continue to get locked (Event 539) 2.Expired password accounts continue trying to log in to the network (Event 535) 3.Accounts restricted to specific workstations are trying to login to unidentified workstations that I can't seem to ID on my network (Event 533) AND 4.Bad password attempts on existing accounts from unidentified workstations that I can't seem to ID on my network (Event 529) These events seem quite unsettling, as I see MULTIPLE failed attempts per second (more than humanly possible). Could this be an automated process (token authentication) that NT is running to authenticate services, apps, or other processes or, as I expect, could it be a script trying to guess user passwords? Has anyone encountered this previously in NT4 with benign sources? Ana _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 17:20:23 PST