RE: Am I seeing an attempted security breach?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Massimo Piceni (m.piceni_at_newsgroup.nospam)
Date: 01/17/05 

Date: Mon, 17 Jan 2005 03:39:06 -0800

Hi Daren,

Sounds more as a service or scheduled task that's trying to do something
with bad credentials. Check if there're scheduled task at 13:30. Check also
if you have any service that starts with specific user credentials rather
than with system account.
You can also take a look what process is the one indicated by Caller Process
ID (but you need to do at 13:33, or you'll get a bad indication). You can
monitor process creation/deletion with PMon
(http://www.sysinternals.com/ntw2k/freeware/pmon.shtml)

Hope this will be useful.

Massimo.

"Daren Addison" wrote:

> I have posted below the event that concerns me.
> I have this message logged daily over the past week (as far back as I have
> checked so far). The strange thing is that the time stamp is identical
> everyday,
> at 13:33.
>
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: <myname>
> Domain: <domain name>
> Logon Type: 4
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: <sbs server>
> Caller User Name: <server name$>
> Caller Domain: <domain name>
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1292
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> Any advice would be welcomed.
>
> Running SBS2003 std. Using Intelligent Gateway 1800 office portal, which has
> built in firewall. Using NAT config.
> Server has 2NICs.
>

Relevant Pages

  • Re: Remote User Needs to Change PWD without connecting to domain
    ... credentials to log on and eventually the password expired. ... > I think you are misinterpreting the "10 logon" settings. ... > Settings, Security Settings, Local Policy, Security Options). ... >> account (note: this should only be temporary as this presents a security ...
    (microsoft.public.win2000.security)
  • Re: Cant use WM6 to access network shares
    ... unfortunately nothing in any of the event logs. ... the logon prompt. ... So for whatever reason it's just not passing my credentials ... Can get to about any other share on the network. ...
    (microsoft.public.pocketpc.wireless)
  • Re: Change local password for domain account while disconnected
    ... control -alt -delete and then try to unlock it with new credentials. ... The Microsoft VPN client ... also has an option to logon to the domain in it's properties which may be ... > She then VPN's into the corporate network but the corporate VPN ...
    (microsoft.public.security)
  • Re: Does the ability to use cached logon expire?
    ... >> credentials, they need to log on to the Domain to reset it. ... > Microsoft Windows 2000 Security Hardening Guide ... > Disable Caching of Logon Information ... > how many user account entries Windows 2000 saves in the logon cache ...
    (microsoft.public.windowsxp.security_admin)
  • Re: LogOnUser with Smart Card Credentials
    ... from the Windows logon dialog and serves our application only). ... call LogonUser with the credentials provided in the dialog. ... The card needs to be present to verify the PIN and also to obtain a token. ...
    (microsoft.public.platformsdk.security)