Window Event Log Question

Can anyone give me some info on the W2k event log below. I'm having a hard time tracking down info about it. I know WHAT is is and why it happens, but I can't figure what's causing it. This is from our domain controller. We see things like it every now and then, but cannot track it.
Here's a few specific questions I have about it:
1. What exactly causes this event?
2. Is there a way to track such events?
3. Where did the "Caller Machine Name" come from? It is ±è¿µÀÏ
4. You can not see it here, but the font in this event was different from the rest. Is there a reason for that?

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 7/13/2004
Time: 12:16:10 AM
User: NT AUTHORITY\SYSTEM
Computer: DCNAME
Description:
User Account Locked Out:
Target Account Name: Administrator
Target Account ID: CORP\Administrator
Caller Machine Name: ±è¿µÀÏ
Caller User Name: DCNAME$
Caller Domain: CORP
Caller Logon ID: (0x0,0x3E7)

Following my Googling (http://www.antionline.com/showthread...hreadid=259648)

A user try to many time with the wrong password to access your domain administrator login and the account got lock out!

One possible explanation for the funny characters would be a workstation that uses a different characterset (i.e. a chinese/taiwanese windows).

Is this server accessible from the Internet?

Quote:

---

1. What exactly causes this event?

---

as stated before, too many incorrect passwords will cause the account to lock out, blocking a hacking attempt

Quote:

---

2. Is there a way to track such events?

---

Event log is tracking it -- if you mean, send you an e-mail or something, try using the snmp - you can setup a "trap" that will e-mail or call your pager or send a message to your computer if you are running a client

Quote:

---

3. Where did the "Caller Machine Name" come from? It is ±è¿µÀÏ

---

caller machine name is the name of the remote machine -- most likely virus infected and in a different country - using some type of oriental character set

Quote:

---

4. You can not see it here, but the font in this event was different from the rest. Is there a reason for that?

---

it could be one of 3 different reasons....
1) different character set with the machine name causing your event log to act differently
2) event log is setup so that certain events get different fonts due to severity
3) windows is being stupid and it is a bug

You guys rock. Thanks for the info.

That makes sense about the remote machine using a diff char set.

When I said how can I track these I meant. .. How can I find out where this hit came from. Win event logs are dumb, they don't give and IP address or anything that is useful for tracking.

This controller is accessible from a DMZ with VPN clients on it. Not the setup I'd choose, but he I'm not running the show.

Quote:

---

How can I find out where this hit came from. Win event logs are dumb, they don't give and IP address or anything that is useful for tracking.[/B]

---

if you go further back in the event log you should start to see failures in the security auditing for login... ex:

and should look something like this:

Logon Failure:
Reason: Unknown user name or bad password
User Name: NT AUTHORITY\SYSTEM
Domain: DCNAME
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: DCNAME
Caller Machine Name: ±è¿µÀÏ
Caller User Name: DCNAME$
Caller Domain: CORP
Caller Logon ID: (0x0,0x3E7)
Transited Services: -
Source Network Address: [this is the ip address you are looking for]
Source Port: 1851


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Yeah, I see that field there, however on Win2k Server there is never an ip address there. On Windows Server 2003 it captures the ip address.

Is there a way to enable that? I may be missing something here. I would love to capture ip addresses for events.

Check your firewall/VPN logs around the same time and look for weird connections.

Here's the thing with checking the firewall though.

It was not logged on the firewall because it made it through. Due to log size we are only logging failures.

Checking the vpn logs yeild what time users log on and off. At any given time there are hundreds of users logged on. We have no capabilities to log traffic that they generate. I guess I could look for the computer name that made the attempt, that should give and IP address. Let me try that.

And for the record I do know how to fix this problem. An IDS would be a great help in tracking this traffic. I'm a f'n Cisco Certified Security Professional and I know how to use Cisco IDS (obviously) and I've tried to talk the company into purchasing a the system, but they said it's too exspensive, blah, blah... Ok, off topic I'm just venting...

Ahh. Cisco's IDS is indeed expensive.

You may want to checkout Snort.
You can run it on a Linux, *BSD or Windows machine.

It's a great, inexpensive NIDS that's even better than some of the commercial ones.