Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Window Event Log Question

  1. #1

    Window Event Log Question

    Can anyone give me some info on the W2k event log below. I'm having a hard time tracking down info about it. I know WHAT is is and why it happens, but I can't figure what's causing it. This is from our domain controller. We see things like it every now and then, but cannot track it.
    Here's a few specific questions I have about it:
    1. What exactly causes this event?
    2. Is there a way to track such events?
    3. Where did the "Caller Machine Name" come from? It is ±è¿µÀÏ
    4. You can not see it here, but the font in this event was different from the rest. Is there a reason for that?

    Event Type: Success Audit
    Event Source: Security
    Event Category: Account Management
    Event ID: 644
    Date: 7/13/2004
    Time: 12:16:10 AM
    User: NT AUTHORITY\SYSTEM
    Computer: DCNAME
    Description:
    User Account Locked Out:
    Target Account Name: Administrator
    Target Account ID: CORP\Administrator
    Caller Machine Name: ±è¿µÀÏ
    Caller User Name: DCNAME$
    Caller Domain: CORP
    Caller Logon ID: (0x0,0x3E7)

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Following my Googling (http://www.antionline.com/showthread...hreadid=259648)

    A user try to many time with the wrong password to access your domain administrator login and the account got lock out!
    -Simon \"SDK\"

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    One possible explanation for the funny characters would be a workstation that uses a different characterset (i.e. a chinese/taiwanese windows).

    Is this server accessible from the Internet?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Jun 2004
    Posts
    460

    Re: Window Event Log Question


    1. What exactly causes this event?
    as stated before, too many incorrect passwords will cause the account to lock out, blocking a hacking attempt

    2. Is there a way to track such events?
    Event log is tracking it -- if you mean, send you an e-mail or something, try using the snmp - you can setup a "trap" that will e-mail or call your pager or send a message to your computer if you are running a client

    3. Where did the "Caller Machine Name" come from? It is ±è¿µÀÏ
    caller machine name is the name of the remote machine -- most likely virus infected and in a different country - using some type of oriental character set

    4. You can not see it here, but the font in this event was different from the rest. Is there a reason for that?
    it could be one of 3 different reasons....
    1) different character set with the machine name causing your event log to act differently
    2) event log is setup so that certain events get different fonts due to severity
    3) windows is being stupid and it is a bug
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  5. #5
    You guys rock. Thanks for the info.

    That makes sense about the remote machine using a diff char set.

    When I said how can I track these I meant. .. How can I find out where this hit came from. Win event logs are dumb, they don't give and IP address or anything that is useful for tracking.

    This controller is accessible from a DMZ with VPN clients on it. Not the setup I'd choose, but he I'm not running the show.

  6. #6
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    How can I find out where this hit came from. Win event logs are dumb, they don't give and IP address or anything that is useful for tracking.[/B]
    if you go further back in the event log you should start to see failures in the security auditing for login... ex:

    and should look something like this:

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: NT AUTHORITY\SYSTEM
    Domain: DCNAME
    Logon Type: 10
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: DCNAME
    Caller Machine Name: ±è¿µÀÏ
    Caller User Name: DCNAME$
    Caller Domain: CORP
    Caller Logon ID: (0x0,0x3E7)
    Transited Services: -
    Source Network Address: [this is the ip address you are looking for]
    Source Port: 1851


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  7. #7
    Yeah, I see that field there, however on Win2k Server there is never an ip address there. On Windows Server 2003 it captures the ip address.

    Is there a way to enable that? I may be missing something here. I would love to capture ip addresses for events.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Check your firewall/VPN logs around the same time and look for weird connections.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Here's the thing with checking the firewall though.

    It was not logged on the firewall because it made it through. Due to log size we are only logging failures.

    Checking the vpn logs yeild what time users log on and off. At any given time there are hundreds of users logged on. We have no capabilities to log traffic that they generate. I guess I could look for the computer name that made the attempt, that should give and IP address. Let me try that.

    And for the record I do know how to fix this problem. An IDS would be a great help in tracking this traffic. I'm a f'n Cisco Certified Security Professional and I know how to use Cisco IDS (obviously) and I've tried to talk the company into purchasing a the system, but they said it's too exspensive, blah, blah... Ok, off topic I'm just venting...

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Ahh. Cisco's IDS is indeed expensive.

    You may want to checkout Snort.
    You can run it on a Linux, *BSD or Windows machine.

    It's a great, inexpensive NIDS that's even better than some of the commercial ones.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •