Bad login alerts

From: "Sasha" <news@xxxxxxxxxx>
Date: Thu, 16 Aug 2007 19:27:23 +0100

Hi all
If someone tries an ussuccesful RDP attempt on server much helpful info is
recorded, especially IP address.
Seeing some login alerts of the below where limited info is recorded.. Its
this NtLMSsp logon process

Logon Failure:
Reason: Unknown user name or bad password
User Name: DOC-MAIL$
Domain: DOC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DOC-MAIL
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

Username / Domain and workstation name have no relation to site where server
recorded this.

I thought it maybe an RWW attempt but this gives:-
Logon Failure:
Reason: Unknown user name or bad password
User Name: aaaaaaaaa
Domain: SERVER
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVER
Caller User Name: IUSR_SERVER

TIA, have a great day / night depending wherever you are... ;-)

.

Follow-Ups:
- RE: Bad login alerts
  - From: Robert Li [MSFT]

Prev by Date: Re: Enterprise CA
Next by Date: Re: "SMTP instance FQDN does not match DNS resolved server name"
Previous by thread: Re: migrating native network to sbs 2003
Next by thread: RE: Bad login alerts
Index(es):
- Date
- Thread

Relevant Pages

Re: ISA SERVER NOT STARTING
... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: Event ID 529
... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
(microsoft.public.windows.server.sbs)
Re: Another security question/issue.
... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
(microsoft.public.windows.server.sbs)
Re: Logon 529 Errors
... connection has been found on the black list, my DNS server ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
(microsoft.public.windows.server.sbs)
Re: Logon 529 Errors
... Default SMTP Virtual Server properties-Access tab-Relay ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
(microsoft.public.windows.server.sbs)