Unusual logfile activity on 2000 server
Results 1 to 2 of 2

Thread: Unusual logfile activity on 2000 server

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    372

    Unusual logfile activity on 2000 server

    Ok I'll be the first to admit that I don't know Windows logs all that well nor do I completely understand IIS users. So here is the set up and the strangeness that I am seeing.

    I have two RSA ACE servers running on my network, both of them are Windows 2000 and configured in the exact same way. I also have two SNA boxes that are running on my network, both of them are also Windows 2000 and both of them are configured in the same way.

    Well lately in my replica ACE box (backup server) I have been seeing the two SNA boxes attempting to connect with a disabled IIS user account. I have /no/ idea why they are doing this and no one else here can figure it out. Here is a sanitized log example of what I'm seeing.

    Code:
    SEC,6/15/2005,12:32:28,Security,531,Failure,Logon/Logoff ,NT AUTHORITY\SYSTEM,BACKUP-ACE,Logon Failure:^`   Reason:         Acco
    unt currently disabled^`        User Name:      IUSR_BACKUPSNA1^`       Domain:         BACKUP-ACE^`        Logon Type:     3^`     Logo
    n Process:      IIS     ^`      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^`         Workstation Name:       BACKUP-ACE
    
    
    
    SEC,6/15/2005,11:46:18,Security,531,Failure,Logon/Logoff ,NT AUTHORITY\SYSTEM,BACKUP-ACE,Logon Failure:^`   Reason:         Acco
    unt currently disabled^`        User Name:      IUSR_PRIMARYSNA1^`       Domain:         BACKUP-ACE^`        Logon Type:     3^`     Logo
    n Process:      IIS     ^`      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^`         Workstation Name:       BACKUP-ACE
    This type of activity is only seen on my backup ACE server and not the primary. The user accounts that are listed do /not/ exist either in IIS or on the server and it is my understanding that the name that is used "IUSR_PRIMARYSNA1" is created from the netbios name of where the IIS user is attempting to come from... is that correct? Why is Windows reporting this is a disabled user account instead of the standard "bad username/password"? Does anyone have a thought as to why the SNA boxes are trying to log in to this server via IIS?

    These SNA servers, and the ACE servers, exist in a private frame network so I'm not too concerned about a compromise on them... besides Snort hasn't seen anything of interest happening on that network in ages

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #2
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    The only thing I can think of is that you may have a web application that tries to use the SNA servers to retrieve data. I can't be sure as it has been a couple of years since i used SNA in a production enviroment. Here is a link to the page on microsoft that discusses using SNA to connect to DB2 applications
    microsoft SNA source

    Microsoft Back Office components IIS, SNA Server and StarQuest's StarSQL connect a Web server to an IBM host for publishing dynamic data on a browser client.

    The result is a Web server that can combine static web pages with dynamic data from the company's corporate DB2 database. For example, the Web page of an air freight company might get HTML pages from a local file and dynamic data from a remote DB2 database. This would allow a customer to enter an air bill number in a Web page to request up-to-the-second information on their package.

    An IIS Web server has the ability to access relational databases using the Active Server Pages. The ASP uses ODBC drivers to access relational databases and can use StarSQL or other ODBC-to-DRDA drivers to access DB2. The Web server connects to the IBM host through SNA Server.

    (See Appendix 3: Sample HTML and Active Server Page)
    .
    hope you finid some information that helps here. I am assuming a connection through SNA to a DB2 database on an IBM machine like an AS400.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •