Multiple logon attempts?

[Dirty_Sanchez]

Hey everyone Im new to all this security buisness so this question may seem kinda obvious to the expert. I was recently lookin at the event viewer and noticed alot of failed audits about a logon. Here is an example

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 4/10/2003
Time: 1:01:37 AM
User: NT AUTHORITY\SYSTEM
Computer: My-System
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: CARRIE
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: CARRIE

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Is the domain name "carrie" a remote computer or a website maybe??

Im not exactly sure what the hell all this is, but it worried me, so i though i would ask some people who know what they are looking at

thanks fer the help.

[MrLinus]

It's probably the machine that attempted to connect to you. You should have a firewall in place so that they can't even attempt this.

BTW, can you change your sig? It's doing weird things to the post.

[SirDice]

Originally posted here by Dirty_Sanchez
Is the domain name "carrie" a remote computer or a website maybe??

Someone hooked up a workstation called CARRIE on your network.
This same person is trying to logon locally on that machine using the account admin.

Try and find this workstation and you know who it is.

Use a LART if it's a regular workstation on your network. The user that's using it is trying to get in (probably to install something you don't want on your network).

[Dirty_Sanchez]

Ok I Installed a firewall Im using "zone alarm", Is this good?
Would another be beter? And also how could I find out who was behind the logon attempts?
Is there a tool I could use to "track " them down? And ask them "kindly" to stop? -or-
Is there a way i could "teach" them a lesson?
I researched "LART", I could only see a Linux Version, This would do me no good since I am using window$.
Is there even a windows LART?

Thanks again

P.S. I removed my sig sorry bout that



-Dirty_Sanchez-

[Trust_Not_123]

im just guessing here cause LART is only for linux... does the L in LART stand for Linux?? hehe, check it out for me :P

[bballad]

Originally posted here by Dirty_Sanchez
I researched "LART", I could only see a Linux Version, This would do me no good since I am using window$.
Is there even a windows LART?

Thanks again

P.S. I removed my sig sorry bout that



-Dirty_Sanchez-

LART's predate windows and *nix and are platform independent...
(L)user (A)ttitude (R)eadjustment (T)ool.

Is there a fellow monk in here?

[SirDice]

I researched "LART", I could only see a Linux Version, This would do me no good since I am using window$.

im just guessing here cause LART is only for linux... does the L in LART stand for Linux?? hehe, check it out for me :P

LOL. Now this is funny Sorry about that. Didn't think ppl wouldn't know.

bballad is quite right. It stands for Luser Attitude Readjustment Tool and it's definitely platform independant.

Look it up at http://www.dict.org

[bballad]

I prefer a 2x4 with rusty nails driven through personaly..and watch the dict links it may lead people to the monastery

as for the original question I doubt it was a malicious attach as the domain and the system had the same name see more like a user screw up...do you have any one in your company named Carrie they would probably be the culprit… if not do you have a WAP..if so secure it you are broadcasting further then you think.