Hi experts
I have suddenly started having problems with security events and I can't tie the start of them down to any specific update or the like. I suppose this question is best broken down into two parts.
Yesterday there were 47 Failure Audits recorded between 16:00:05 & 16:11:42 involving attempted logins by the username Administrator, generating event ID's 529, 672 & 680. The Administrator account has been renamed from day 1 and here is an example of one type of log entry:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 07/06/2007
Time: 16:00:05
User: NT AUTHORITY\SYSTEM
Computer: AML-SERVER
Description:
Authentication Ticket Request:
User Name: Administrator
Supplied Realm Name: OURDOMAIN.LOCAL
User ID: -
Service Name: krbtgt/OURDOMAIN.LOCAL
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 127.0.0.1
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
** That wasn't any help - it said that "There is no Failure Audit form of this audit event record" Hmmm.
I cannot see anything in application or system logs which could have caused this. Is there any way in which I can find out which program / process has used this login, please?
Another option is, could this be something more sinister? No infections have been found on the daily full virus scans across the network and we have a hardware firewall. The firewall did report that it had repelled several Smurf attacks exactly an hour earlier, purporting to originate from an address belonging to African Network Information Center and there is no evidence I have found to suggest that the firewall was breached.
In addition, I have started to get occasional event ID's 673, within the DHCP range reserved for vpn clients & also some LAN clients. The clocks seem to be in sync with the server and a success audit is registered at the next event. No failure event is recorded on the client, only the success.
Any ideas, please?
|
