bad things in netlogon file/event log
Results 1 to 9 of 9

Thread: bad things in netlogon file/event log

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    4

    bad things in netlogon file/event log

    First off, I'd like to give a "How do ya do?" to the forums. I just found the site and am eagerly awaiting the time that I can delve into the security tutorials available on the boards. I appreciate any comments in re my post...

    I came back from vacation and got slammed with work (what else is new..) but eventually made my way to do my pseudo-periodic check of several output files from a script that parses the netlogon log for attempted logons with invalid user names or invalid passwords. I found many, many entries (approx 1-2 per second) that look like this:

    03/20 18:03:21 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064
    03/20 18:03:22 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064
    03/20 18:03:22 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064
    03/20 18:03:23 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064

    Obviously we do not have an account named administrator (it has been renamed). They do not occur each day (nor is there a specific pattern that I can see as to the days/times they do occur) and the attempts to logon last for exactly 20 minutes. Here is what I see in the Security event log at the times that these attempted logons occur:

    4/13/2006,12:48:55 AM,Security,Failure Audit,Logon/Logoff ,529,NT AUTHORITY\SYSTEM,EXCHANGE,"Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Administrator
    Domain: SCL
    Logon Type: 8
    Logon Process: IIS
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: EXCHANGE
    Caller User Name: EXCHANGE$
    Caller Domain: SCL
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 1900
    Transited Services: -
    Source Network Address: -
    Source Port: -

    I am also noticing Sec event log entries on clients that say users are logging onto the clients when there is no activity the user is initiating. They are logon type 3 (Kerberos) and log off after about 10 seconds. This does not occur on all the clients, only a few. I'm not sure if this is related but thought it best to include the info.

    I've attached a .txt with the parsed failed logons. You will notice other domain/usernames attempting to logon. Again, I'm not sure they are related.

    "Exchange" is a DC that also has a website and exchange 2003 on it. Yes, I know that is a security risk but I inherited the network a few months ago and will not be able to install more servers for a few more months....

    Where do I go/what can I do to resolve this?

    I appreciate the feedback...

    ***Edit: The .txt is too large to attach. I can mail it if anyone needs it.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    This looks like worm/bot activity. I think you have bigger issues than this log problem.

    Have you any kind of traffic analyser available?

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    4
    Other than "network monitor" on the server, no, I don't have a program that can be installed on the server itself.

    I do have a red hat box with ethereal installed....

    I also failed to mention that the same log entries have occured with SCL\root rather than SCL\Administrator. SCL is also our legit domain name.

    What are you referring to when you say I have bigger problems than the log entries?

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    how many windows boxes do you know that have a "root" account?

    Again, looks like worm or bot activity. Any way to spot the source address of the host sending these requests in? I mean, the domain controller running netmon can capture this information very easily. That is, if it still is happening.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Junior Member
    Join Date
    Apr 2006
    Posts
    4
    lol. I don't know of any win boxes with a root account.

    I'll run network monitor on the box and see what comes up. good call, i should have thought of that as the next step. anything specific/general that I should look for?

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    failed login attempts and source addresses of those attempts.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Do you have a server, (or workstation I suppose), called EXCHANGE on the same network? Does it have a user called administrator?

    Because that looks a lot like another computer trying to access this particular one rather than someone trying to access it.

    I'm guessing that the computer showing these log entries is on the trusted network and so is the computer called EXCHANGE.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Junior Member
    Join Date
    Apr 2006
    Posts
    4
    We have one computer on the trusted network called Exchange. That is a DC. There are no clients or other servers (obviously) called Exchange.

    All of the clients have the Administrator account enabled.

  9. #9
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    I think what horsie is alluding to with the "bigger issues" is that you likely have something monitoring some of your client workstations (the Kerb logins), probably through a local admin account (not necessarily Administrator) that didn't have a tough enough password. You may have a netcat remote session or mIRC environment running on them to leverage into the rest of the network.

    Check that all the services are communicating on the server as they are supposed to. You will need to set up an Ethereal on a hub or on the router so that it can see all the traffic in and out of the network so you can see if the login attempts are coming from outside or inside your network. If they are coming from outside, that is a brute force attack at the administrator account. If it is coming from inside, you may have a compromised workstation that is doing the dirty work. However, there must be some traffic through the network to indicate the remote controller for this activity.

    Those systems that are showing the periodic logins may be needing a good safe mode scan to see what is on them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •