Re: Unknown User Logon attempt

N

netadmin07

"Why it was trying to use an account called "Secret" i have no idea, but it
sure was a suspicous name. Well I don't believe it's anything malicious, so I
have disabled the service, I wasn't using that function anyways. Very
strange."



I don't think an Adaptec service would use a login username called "secret".
This has been happening to our server too. I have also researched it
online and have found a ton of people that are being hit with this possible
attack. I need to figure out which IP Address this is coming from. Can
someone please help me with this? This pattern seems to be that of a hacker
or process attempting to access our mail server in order to install a virus
or some type of malicious software.


It seems that it will just be a matter of time for this process to figure
out a username and password match, and then it will have access into our
server.


Should I follow this link someone posted? They are indicating an attack and
how to go about debugging it. I really need to know how to debug this issue.

(http://blogs.msdn.com/puneetgupta/archive/...exe-advapi.aspx)






Caller Process ID: 1972
Process: INETINFO.EXE






It has been going on as follows:

Event Viewer:
>Security
>>Failure Audit


=====================================
1st Time (227 Attempts)
=====================================
8/30/2009
10:35 AM - 2:33 PM
Logon Failure:
Reason: Unknown user name or bad password
User Name: guest
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -

=====================================
2nd Attempt (1 Attempt)
=====================================
8/31/2009
1:30 PM

Logon Failure:
Reason: Account currently disabled
User Name: test
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -


=====================================
3rd Attempt (37 Attempts)
=====================================
9/1/2009
5:09 PM


Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -
=====================================





Thanks for the assistance,

--
Mike Spade
IT Supervisor, Network & Operations
Global Logistics Village, Inc.
(925) 543-0271
Mike.Spade@glovill.com








"Steven L Umbach" wrote:

> Excellent. Mystery solved. Curious that the account name was secret as you
> said. Anyhow good job and thanks for reporting back what worked! --- Steve
>
>
> "Samhain_Knight" wrote in message
> news:5869C896-F63C-4EFF-B601-EE67C466725E@microsoft.com...
> >I found the service that was causing the event. I started reststarting
> > non-essential services one by one until I found the service that was
> > generating the security event. I turned out to be a service from Adaptec.
> > The
> > server has an Adaptec RAID card. I installed Adpatecs RAID management
> > utility
> > on the server also. It is a browser base utility to manage your RAID. It
> > installs 3 services, one named "Adaptec Storage Manager Notifier" was set
> > to
> > logon on as local service and would generate the event everytime I
> > restarted
> > it. Why it was trying to use an account called "Secret" i have no idea,
> > but
> > it sure was a suspicous name. Well I don't believe it's anything
> > malicious,
> > so I have disabled the service, I wasn't using that function anyways. Very
> > strange.
> >
> > Thanks a lot Steve for your help you definetly pointed me in the right
> > direction on this! Great advice!
> > Keep on Keepin On.
> > "Steven L Umbach" wrote:
> >
> >> There is a free tool from SysInternals called Autoruns that may help you
> >> as
> >> it certainly looks like it is a local startup process. It shows the
> >> various
> >> start up programs that are on your computer and also gives you that
> >> ability
> >> to disable them individually which you may need to do in a trial and
> >> error
> >> method to try and track down what is causing your problem. It also could
> >> be
> >> a non essential service that is not used to boot into safe mode . Use
> >> services.msc to check your services and look in the "logon as column" to
> >> see
> >> if you can see anything there that may help. You can also selectively
> >> disable services with msconfig. If you are using Windows 2000 you will
> >> not
> >> have msconfig but you can download it from the internet. --- Steve
> >>
> >> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
> >> http://www.perfectdrivers.com/howto/msconfig.html --- Msconfig
> >>
> >> "Samhain_Knight" wrote in message
> >> news:F64A7BF1-543A-4F21-932D-94BD7FD84E0E@microsoft.com...
> >> >I cleared the event log, shutdown, unplugged the network cable, power
> >> >on,
> >> >and
> >> > logged in using domain credentials. The same event is shown for user
> >> > "Secret". I then rebooted and logged into safe mode, keeping the
> >> > network
> >> > cable unplugged and i didn't receive the event? Since the cable is
> >> > unplugged,
> >> > this must be a local process generated on the server? There are now
> >> > mapped
> >> > drives on this server either? Anymore input would be appreciated!
> >> >
> >> > Thanks!!!
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> Try booting into safe mode to see the those events are recorded or
> >> >> not.
> >> >> More
> >> >> than likely something is using that user account. You could also try
> >> >> rebooting with the computer disconnected from the network to see if
> >> >> those
> >> >> events are recorded and if they are you know for sure it is internally
> >> >> generated. I would also be sure to run a full system scan for malware.
> >> >> There
> >> >> is a tool that is used to troubleshoot account lockouts that may help
> >> >> as
> >> >> it
> >> >> creates a log that shows when a user is trying to authenticated and
> >> >> the
> >> >> associated process with times recorded to match to the security log.
> >> >> Also
> >> >> check to see if any mapped drives have persistent credentials
> >> >> associated
> >> >> with them. The link below is to the alockout.dll tool [be sure to read
> >> >> warning] and other documentation and tools that normally are used to
> >> >> track
> >> >> domain account lockouts but still have helpful information. I would
> >> >> also
> >> >> temporarily enable auditing of object access, privilige use, and
> >> >> process
> >> >> tracking for failure on that server to see if that helps pinpoint what
> >> >> is
> >> >> going on. --- Steve
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> "Samhain_Knight" wrote in
> >> >> message
> >> >> news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
> >> >> > I'm trying to track down a user logon attempt on one of my servers.
> >> >> > W2k AD enviroment
> >> >> > Whenever I reboot one of my member server i get an event 681/529.
> >> >> > What
> >> >> > scares me is that the username attempting to logon is called
> >> >> > "secret".
> >> >> > I
> >> >> > know
> >> >> > for sure it's not a domain user account nor a local user account on
> >> >> > the
> >> >> > server. I'm trying to find more info on this user. I only receive
> >> >> > this
> >> >> > event
> >> >> > when I reboot the server as if it's a service starting up. I don't
> >> >> > see
> >> >> > any
> >> >> > unknown services running on the server though? Any suggestions how
> >> >> > to
> >> >> > best
> >> >> > troubleshoot this? Here's a copy of the event:
> >> >> >
> >> >> > Event Type: Failure Audit
> >> >> > Event Source: Security
> >> >> > Event Category: Logon/Logoff
> >> >> > Event ID: 529
> >> >> > Date: 6/11/2005
> >> >> > Time: 9:10:31 AM
> >> >> > User: NT AUTHORITYSYSTEM
> >> >> > Computer: EVANS10
> >> >> > Description:
> >> >> > Logon Failure:
> >> >> > Reason: Unknown user name or bad password
> >> >> > User Name: Secret
> >> >> > Domain:
> >> >> > Logon Type: 2
> >> >> > Logon Process: Advapi
> >> >> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> >> > Workstation Name: "member server"
> >> >> >
> >> >> > Event Type: Failure Audit
> >> >> > Event Source: Security
> >> >> > Event Category: Account Logon
> >> >> > Event ID: 681
> >> >> > Date: 6/11/2005
> >> >> > Time: 9:10:31 AM
> >> >> > User: NT AUTHORITYSYSTEM
> >> >> > Computer: member server
> >> >> > Description:
> >> >> > The logon to account: Secret
> >> >> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> >> > from workstation: member server
> >> >> > failed. The error code was: 3221225572
> >> >> >
> >> >> > Thanks
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>

>
>
>
 
M

MowGreen

Security Troubleshooting and Support
http://technet.microsoft.com/en-us/security/bb980617.aspx

" No-Charge Support 1-866-PCSAFETY
or 1-866-727-2338

This phone number is for virus and *other* security-related support. It
is available 24 hours a day for the U.S. and Canada.

For phone numbers outside of the U.S. and Canada, select your region.
http://support.microsoft.com/common/intern...l.aspx?rdpath=4 "

Suggest you contact MS for *no-charge assistance*


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *not* have *non-security content* prechecked"



netadmin07 wrote:

> "Why it was trying to use an account called "Secret" i have no idea, but it
> sure was a suspicous name. Well I don't believe it's anything malicious, so I
> have disabled the service, I wasn't using that function anyways. Very
> strange."
>
>
>
> I don't think an Adaptec service would use a login username called "secret".
> This has been happening to our server too. I have also researched it
> online and have found a ton of people that are being hit with this possible
> attack. I need to figure out which IP Address this is coming from. Can
> someone please help me with this? This pattern seems to be that of a hacker
> or process attempting to access our mail server in order to install a virus
> or some type of malicious software.
>
>
> It seems that it will just be a matter of time for this process to figure
> out a username and password match, and then it will have access into our
> server.
>
>
> Should I follow this link someone posted? They are indicating an attack and
> how to go about debugging it. I really need to know how to debug this issue.
>
> (http://blogs.msdn.com/puneetgupta/archive/...exe-advapi.aspx)
>
>
>
>
>
>
> Caller Process ID: 1972
> Process: INETINFO.EXE
>
>
>
>
>
>
> It has been going on as follows:
>
> Event Viewer:
>
>>Security
>>
>>>Failure Audit

>
>
> =====================================
> 1st Time (227 Attempts)
> =====================================
> 8/30/2009
> 10:35 AM - 2:33 PM
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: guest
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: GLVSR05
> Caller User Name: GLVSR05$
> Caller Domain: GLVSROPS
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1972
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> =====================================
> 2nd Attempt (1 Attempt)
> =====================================
> 8/31/2009
> 1:30 PM
>
> Logon Failure:
> Reason: Account currently disabled
> User Name: test
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: GLVSR05
> Caller User Name: GLVSR05$
> Caller Domain: GLVSROPS
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1972
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
> =====================================
> 3rd Attempt (37 Attempts)
> =====================================
> 9/1/2009
> 5:09 PM
>
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: webmaster
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: GLVSR05
> Caller User Name: GLVSR05$
> Caller Domain: GLVSROPS
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1972
> Transited Services: -
> Source Network Address: -
> Source Port: -
> =====================================
>
>
>
>
>
> Thanks for the assistance,
>
> --
> Mike Spade
> IT Supervisor, Network & Operations
> Global Logistics Village, Inc.
> (925) 543-0271
> Mike.Spade@glovill.com
>
>
>
>
>
>
>
>
> "Steven L Umbach" wrote:
>
>
>>Excellent. Mystery solved. Curious that the account name was secret as you
>>said. Anyhow good job and thanks for reporting back what worked! --- Steve
>>
>>
>>"Samhain_Knight" wrote in message
>>news:5869C896-F63C-4EFF-B601-EE67C466725E@microsoft.com...
>>
>>>I found the service that was causing the event. I started reststarting
>>>non-essential services one by one until I found the service that was
>>>generating the security event. I turned out to be a service from Adaptec.
>>>The
>>>server has an Adaptec RAID card. I installed Adpatecs RAID management
>>>utility
>>>on the server also. It is a browser base utility to manage your RAID. It
>>>installs 3 services, one named "Adaptec Storage Manager Notifier" was set
>>>to
>>>logon on as local service and would generate the event everytime I
>>>restarted
>>>it. Why it was trying to use an account called "Secret" i have no idea,
>>>but
>>>it sure was a suspicous name. Well I don't believe it's anything
>>>malicious,
>>>so I have disabled the service, I wasn't using that function anyways. Very
>>>strange.
>>>
>>>Thanks a lot Steve for your help you definetly pointed me in the right
>>>direction on this! Great advice!
>>>Keep on Keepin On.
>>>"Steven L Umbach" wrote:
>>>
>>>
>>>>There is a free tool from SysInternals called Autoruns that may help you
>>>>as
>>>>it certainly looks like it is a local startup process. It shows the
>>>>various
>>>>start up programs that are on your computer and also gives you that
>>>>ability
>>>>to disable them individually which you may need to do in a trial and
>>>>error
>>>>method to try and track down what is causing your problem. It also could
>>>>be
>>>>a non essential service that is not used to boot into safe mode . Use
>>>>services.msc to check your services and look in the "logon as column" to
>>>>see
>>>>if you can see anything there that may help. You can also selectively
>>>>disable services with msconfig. If you are using Windows 2000 you will
>>>>not
>>>>have msconfig but you can download it from the internet. --- Steve
>>>>
>>>>http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
>>>>http://www.perfectdrivers.com/howto/msconfig.html --- Msconfig
>>>>
>>>>"Samhain_Knight" wrote in message
>>>>news:F64A7BF1-543A-4F21-932D-94BD7FD84E0E@microsoft.com...
>>>>
>>>>>I cleared the event log, shutdown, unplugged the network cable, power
>>>>>on,
>>>>>and
>>>>>logged in using domain credentials. The same event is shown for user
>>>>>"Secret". I then rebooted and logged into safe mode, keeping the
>>>>>network
>>>>>cable unplugged and i didn't receive the event? Since the cable is
>>>>>unplugged,
>>>>>this must be a local process generated on the server? There are now
>>>>>mapped
>>>>>drives on this server either? Anymore input would be appreciated!
>>>>>
>>>>>Thanks!!!
>>>>>
>>>>>"Steven L Umbach" wrote:
>>>>>
>>>>>
>>>>>>Try booting into safe mode to see the those events are recorded or
>>>>>>not.
>>>>>>More
>>>>>>than likely something is using that user account. You could also try
>>>>>>rebooting with the computer disconnected from the network to see if
>>>>>>those
>>>>>>events are recorded and if they are you know for sure it is internally
>>>>>>generated. I would also be sure to run a full system scan for malware.
>>>>>>There
>>>>>>is a tool that is used to troubleshoot account lockouts that may help
>>>>>>as
>>>>>>it
>>>>>>creates a log that shows when a user is trying to authenticated and
>>>>>>the
>>>>>>associated process with times recorded to match to the security log.
>>>>>>Also
>>>>>>check to see if any mapped drives have persistent credentials
>>>>>>associated
>>>>>>with them. The link below is to the alockout.dll tool [be sure to read
>>>>>>warning] and other documentation and tools that normally are used to
>>>>>>track
>>>>>>domain account lockouts but still have helpful information. I would
>>>>>>also
>>>>>>temporarily enable auditing of object access, privilige use, and
>>>>>>process
>>>>>>tracking for failure on that server to see if that helps pinpoint what
>>>>>>is
>>>>>>going on. --- Steve
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>"Samhain_Knight" wrote in
>>>>>>message
>>>>>>news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
>>>>>>
>>>>>>>I'm trying to track down a user logon attempt on one of my servers.
>>>>>>>W2k AD enviroment
>>>>>>>Whenever I reboot one of my member server i get an event 681/529.
>>>>>>>What
>>>>>>>scares me is that the username attempting to logon is called
>>>>>>>"secret".
>>>>>>>I
>>>>>>>know
>>>>>>>for sure it's not a domain user account nor a local user account on
>>>>>>>the
>>>>>>>server. I'm trying to find more info on this user. I only receive
>>>>>>>this
>>>>>>>event
>>>>>>>when I reboot the server as if it's a service starting up. I don't
>>>>>>>see
>>>>>>>any
>>>>>>>unknown services running on the server though? Any suggestions how
>>>>>>>to
>>>>>>>best
>>>>>>>troubleshoot this? Here's a copy of the event:
>>>>>>>
>>>>>>>Event Type: Failure Audit
>>>>>>>Event Source: Security
>>>>>>>Event Category: Logon/Logoff
>>>>>>>Event ID: 529
>>>>>>>Date: 6/11/2005
>>>>>>>Time: 9:10:31 AM
>>>>>>>User: NT AUTHORITYSYSTEM
>>>>>>>Computer: EVANS10
>>>>>>>Description:
>>>>>>>Logon Failure:
>>>>>>> Reason: Unknown user name or bad password
>>>>>>> User Name: Secret
>>>>>>> Domain:
>>>>>>> Logon Type: 2
>>>>>>> Logon Process: Advapi
>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>>>>>> Workstation Name: "member server"
>>>>>>>
>>>>>>>Event Type: Failure Audit
>>>>>>>Event Source: Security
>>>>>>>Event Category: Account Logon
>>>>>>>Event ID: 681
>>>>>>>Date: 6/11/2005
>>>>>>>Time: 9:10:31 AM
>>>>>>>User: NT AUTHORITYSYSTEM
>>>>>>>Computer: member server
>>>>>>>Description:
>>>>>>>The logon to account: Secret
>>>>>>>by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>>>>>>from workstation: member server
>>>>>>>failed. The error code was: 3221225572
>>>>>>>
>>>>>>>Thanks
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>

>>
>>
 
N

netadmin07

This is NOT a pc.




Here is the OS info:

System:
Microsoft Windows Server 2003 x32
for Small Business Server
Service Pack 2

Computer:
Intel
 
M

MowGreen

Understood from your original, orphaned post. MS will still offer you
no-charge support for getting this 'issue' diagnosed.
The choice is yours.


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *not* have *non-security content* prechecked"




netadmin07 wrote:

> This is NOT a pc.
>
>
>
>
> Here is the OS info:
>
> System:
> Microsoft Windows Server 2003 x32
> for Small Business Server
> Service Pack 2
>
> Computer:
> Intel
 
N

netadmin07

Ok. Great. I called but I wasn't sure which extension or route to take,
because all the options were PC related. Any suggestions?

Thanks.
MIKE





"MowGreen" wrote:

> Understood from your original, orphaned post. MS will still offer you
> no-charge support for getting this 'issue' diagnosed.
> The choice is yours.
>
>
> MowGreen
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
> banthecheck.com
> "Security updates should *not* have *non-security content* prechecked"
>
>
>
>
> netadmin07 wrote:
>
> > This is NOT a pc.
> >
> >
> >
> >
> > Here is the OS info:
> >
> > System:
> > Microsoft Windows Server 2003 x32
> > for Small Business Server
> > Service Pack 2
> >
> > Computer:
> > Intel
 
M

MowGreen

Mike,

I've never called in so I can't advice you which option to choose.
I'll call now to see what's offered ... a long blurb about rogue AV
programs ... and then a message to stay on the line is what I got.
Is that what you get ? I'm calling from the US and what you get may
differ if you're located some place else.

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *not* have *non-security content* prechecked"


netadmin07 wrote:

> Ok. Great. I called but I wasn't sure which extension or route to take,
> because all the options were PC related. Any suggestions?
>
> Thanks.
> MIKE
>
>
>
>
>
> "MowGreen" wrote:
>
>
>>Understood from your original, orphaned post. MS will still offer you
>>no-charge support for getting this 'issue' diagnosed.
>>The choice is yours.
>>
>>
>>MowGreen
>>===============
>> *-343-* FDNY
>>Never Forgotten
>>===============
>>
>>banthecheck.com
>>"Security updates should *not* have *non-security content* prechecked"
>>
>>
>>
>>
>>netadmin07 wrote:
>>
>>
>>>This is NOT a pc.
>>>
>>>
>>>
>>>
>>>Here is the OS info:
>>>
>>>System:
>>>Microsoft Windows Server 2003 x32
>>>for Small Business Server
>>>Service Pack 2
>>>
>>>Computer:
>>>Intel
 
N

netadmin07

I called in and gave them the specs on my server OS and they immediately
transferred me to Server Enterprise Support in which they are trying to
charge me for support.

Does anyone know how to resolve this issue I'm having? I need support
quickly.

Thanks.



"MowGreen" wrote:

> Mike,
>
> I've never called in so I can't advice you which option to choose.
> I'll call now to see what's offered ... a long blurb about rogue AV
> programs ... and then a message to stay on the line is what I got.
> Is that what you get ? I'm calling from the US and what you get may
> differ if you're located some place else.
>
> MowGreen
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
> banthecheck.com
> "Security updates should *not* have *non-security content* prechecked"
>
>
> netadmin07 wrote:
>
> > Ok. Great. I called but I wasn't sure which extension or route to take,
> > because all the options were PC related. Any suggestions?
> >
> > Thanks.
> > MIKE
> >
> >
> >
> >
> >
> > "MowGreen" wrote:
> >
> >
> >>Understood from your original, orphaned post. MS will still offer you
> >>no-charge support for getting this 'issue' diagnosed.
> >>The choice is yours.
> >>
> >>
> >>MowGreen
> >>===============
> >> *-343-* FDNY
> >>Never Forgotten
> >>===============
> >>
> >>banthecheck.com
> >>"Security updates should *not* have *non-security content* prechecked"
> >>
> >>
> >>
> >>
> >>netadmin07 wrote:
> >>
> >>
> >>>This is NOT a pc.
> >>>
> >>>
> >>>
> >>>
> >>>Here is the OS info:
> >>>
> >>>System:
> >>>Microsoft Windows Server 2003 x32
> >>>for Small Business Server
> >>>Service Pack 2
> >>>
> >>>Computer:
> >>>Intel
 
Back
Top Bottom