more windows log fun
Results 1 to 6 of 6

Thread: more windows log fun

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    372

    more windows log fun

    Ok here is another stumper that has been happening for a while now.

    I see a developer attempting to log in to the box, from a different domain, and it fails. The problem is the machine name it is coming from is LOCALHOST. Now I know you can't name your box LOCALHOST so I'm wondering where NT is picking this name up from. The dev doesn't have physical access to the server in question, nor does he have remote access to that box. The machine in question is a Windows NT 4.0 server that is only an application server. It happens at around 06:30 every morning and only happens once, except on Sundays when it happens twice back to back. Here is a sanitized log entry for this event:

    Code:
    SEC,7/7/05,06:38:32,Security,529,Failure,Logon/Logoff ,NT AUTHORITY\SYSTEM,APPSERVER,Logon Failure:^`   Reason:         Unkn
    own user name or bad password^`         User Name:      DEV1^`  Domain:         OTHERDOMAIN^`      Logon Type:     3^`     Logon Proces
    s:      KSecDD^`        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^`         Workstation Name:       \\LOCALHOST
    I have googled for an answer, and I even have checked out Microsofts knowledge base trying to find anything similar to this, but have so far been unsuccessful. So I figured that I would turn to my AO bretheren in the hopes that they may have an idea that I haven't thought of.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    So you have no *nix boxes on the network then?

    looks like a default settings of a nix box.. perhaps someone playing with a live OS CD.. ie Knoppix, suse live, etc.... just looks too much like it.. but I have been wrong before..

    then there is the other possability.. someone is playing a joke on you..or testing you out
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    we have a few *nix boxes on our network, but they are in a different subnet and have no way to communicate with those boxes.


    Now it could be someone using Knoppix, as the dev in question has done some "questionable" things in the past. I'm going to start narrowing down which machine it is really coming from today... I have a few tricks up my sleeve still

    The more I think on this the more I'm leaning towards something along the lines of Knoppix.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Do you have any at jobs scheduled for around 6:30 on that server? Is it jus around that time, or damn close to the same time everytime? Could be something on the server that is referencing itself through a share.

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    The only jobs happen at around midnight when it copies the logs to a central server and starts a backup, both of which finish by 01:30. The LOCALHOST failure is always at the same time, and as I said the dev in question doesn't have access to that box so I don't know why a process would be trying to log in as him. If I remember correctly, when a process fails a log in it doesn't just stop at one time because Windows is fairly aggressive with retry attempts.

    Also if it is the local box that is attempting to run a process it should show up with the local box name, not LOCALHOST. I see plenty of services running on that box in the logs and they all have the real machine name there but only one entry for LOCALHOST. As I said this is a stumper for me

    it happens every morning at around the same time, I'll have to verify the time but I know it is usually around 06:30ish. The only variance that I have noticed is on Sundays and it happens twice then, back to back.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Lv4
    The only jobs happen at around midnight when it copies the logs to a central server and starts a backup, both of which finish by 01:30. The LOCALHOST failure is always at the same time, and as I said the dev in question doesn't have access to that box so I don't know why a process would be trying to log in as him. If I remember correctly, when a process fails a log in it doesn't just stop at one time because Windows is fairly aggressive with retry attempts.

    Also if it is the local box that is attempting to run a process it should show up with the local box name, not LOCALHOST. I see plenty of services running on that box in the logs and they all have the real machine name there but only one entry for LOCALHOST. As I said this is a stumper for me

    it happens every morning at around the same time, I'll have to verify the time but I know it is usually around 06:30ish. The only variance that I have noticed is on Sundays and it happens twice then, back to back.
    Has the "dev" in question, developed an application for another environment / box which either on purpose or by accident got migrated to this box? What type of apps. does he/she work on and is there anything that he/she has worked on running on this box. I have seen more than one developer write "Backdoors" into their code, I have also seen them hardcode their personal userid's & passwords into their code in order to debug.

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •