N
netadmin07
"Why it was trying to use an account called "Secret" i have no idea, but it
sure was a suspicous name. Well I don't believe it's anything malicious, so I
have disabled the service, I wasn't using that function anyways. Very
strange."
I don't think an Adaptec service would use a login username called "secret".
This has been happening to our server too. I have also researched it
online and have found a ton of people that are being hit with this possible
attack. I need to figure out which IP Address this is coming from. Can
someone please help me with this? This pattern seems to be that of a hacker
or process attempting to access our mail server in order to install a virus
or some type of malicious software.
It seems that it will just be a matter of time for this process to figure
out a username and password match, and then it will have access into our
server.
Should I follow this link someone posted? They are indicating an attack and
how to go about debugging it. I really need to know how to debug this issue.
(http://blogs.msdn.com/puneetgupta/archive/...exe-advapi.aspx)
Caller Process ID: 1972
Process: INETINFO.EXE
It has been going on as follows:
Event Viewer:
>Security
>>Failure Audit
=====================================
1st Time (227 Attempts)
=====================================
8/30/2009
10:35 AM - 2:33 PM
Logon Failure:
Reason: Unknown user name or bad password
User Name: guest
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -
=====================================
2nd Attempt (1 Attempt)
=====================================
8/31/2009
1:30 PM
Logon Failure:
Reason: Account currently disabled
User Name: test
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -
=====================================
3rd Attempt (37 Attempts)
=====================================
9/1/2009
5:09 PM
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -
=====================================
Thanks for the assistance,
--
Mike Spade
IT Supervisor, Network & Operations
Global Logistics Village, Inc.
(925) 543-0271
Mike.Spade@glovill.com
"Steven L Umbach" wrote:
> Excellent. Mystery solved. Curious that the account name was secret as you
> said. Anyhow good job and thanks for reporting back what worked! --- Steve
>
>
> "Samhain_Knight" wrote in message
> news:5869C896-F63C-4EFF-B601-EE67C466725E@microsoft.com...
> >I found the service that was causing the event. I started reststarting
> > non-essential services one by one until I found the service that was
> > generating the security event. I turned out to be a service from Adaptec.
> > The
> > server has an Adaptec RAID card. I installed Adpatecs RAID management
> > utility
> > on the server also. It is a browser base utility to manage your RAID. It
> > installs 3 services, one named "Adaptec Storage Manager Notifier" was set
> > to
> > logon on as local service and would generate the event everytime I
> > restarted
> > it. Why it was trying to use an account called "Secret" i have no idea,
> > but
> > it sure was a suspicous name. Well I don't believe it's anything
> > malicious,
> > so I have disabled the service, I wasn't using that function anyways. Very
> > strange.
> >
> > Thanks a lot Steve for your help you definetly pointed me in the right
> > direction on this! Great advice!
> > Keep on Keepin On.
> > "Steven L Umbach" wrote:
> >
> >> There is a free tool from SysInternals called Autoruns that may help you
> >> as
> >> it certainly looks like it is a local startup process. It shows the
> >> various
> >> start up programs that are on your computer and also gives you that
> >> ability
> >> to disable them individually which you may need to do in a trial and
> >> error
> >> method to try and track down what is causing your problem. It also could
> >> be
> >> a non essential service that is not used to boot into safe mode . Use
> >> services.msc to check your services and look in the "logon as column" to
> >> see
> >> if you can see anything there that may help. You can also selectively
> >> disable services with msconfig. If you are using Windows 2000 you will
> >> not
> >> have msconfig but you can download it from the internet. --- Steve
> >>
> >> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
> >> http://www.perfectdrivers.com/howto/msconfig.html --- Msconfig
> >>
> >> "Samhain_Knight" wrote in message
> >> news:F64A7BF1-543A-4F21-932D-94BD7FD84E0E@microsoft.com...
> >> >I cleared the event log, shutdown, unplugged the network cable, power
> >> >on,
> >> >and
> >> > logged in using domain credentials. The same event is shown for user
> >> > "Secret". I then rebooted and logged into safe mode, keeping the
> >> > network
> >> > cable unplugged and i didn't receive the event? Since the cable is
> >> > unplugged,
> >> > this must be a local process generated on the server? There are now
> >> > mapped
> >> > drives on this server either? Anymore input would be appreciated!
> >> >
> >> > Thanks!!!
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> Try booting into safe mode to see the those events are recorded or
> >> >> not.
> >> >> More
> >> >> than likely something is using that user account. You could also try
> >> >> rebooting with the computer disconnected from the network to see if
> >> >> those
> >> >> events are recorded and if they are you know for sure it is internally
> >> >> generated. I would also be sure to run a full system scan for malware.
> >> >> There
> >> >> is a tool that is used to troubleshoot account lockouts that may help
> >> >> as
> >> >> it
> >> >> creates a log that shows when a user is trying to authenticated and
> >> >> the
> >> >> associated process with times recorded to match to the security log.
> >> >> Also
> >> >> check to see if any mapped drives have persistent credentials
> >> >> associated
> >> >> with them. The link below is to the alockout.dll tool [be sure to read
> >> >> warning] and other documentation and tools that normally are used to
> >> >> track
> >> >> domain account lockouts but still have helpful information. I would
> >> >> also
> >> >> temporarily enable auditing of object access, privilige use, and
> >> >> process
> >> >> tracking for failure on that server to see if that helps pinpoint what
> >> >> is
> >> >> going on. --- Steve
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> "Samhain_Knight" wrote in
> >> >> message
> >> >> news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
> >> >> > I'm trying to track down a user logon attempt on one of my servers.
> >> >> > W2k AD enviroment
> >> >> > Whenever I reboot one of my member server i get an event 681/529.
> >> >> > What
> >> >> > scares me is that the username attempting to logon is called
> >> >> > "secret".
> >> >> > I
> >> >> > know
> >> >> > for sure it's not a domain user account nor a local user account on
> >> >> > the
> >> >> > server. I'm trying to find more info on this user. I only receive
> >> >> > this
> >> >> > event
> >> >> > when I reboot the server as if it's a service starting up. I don't
> >> >> > see
> >> >> > any
> >> >> > unknown services running on the server though? Any suggestions how
> >> >> > to
> >> >> > best
> >> >> > troubleshoot this? Here's a copy of the event:
> >> >> >
> >> >> > Event Type: Failure Audit
> >> >> > Event Source: Security
> >> >> > Event Category: Logon/Logoff
> >> >> > Event ID: 529
> >> >> > Date: 6/11/2005
> >> >> > Time: 9:10:31 AM
> >> >> > User: NT AUTHORITYSYSTEM
> >> >> > Computer: EVANS10
> >> >> > Description:
> >> >> > Logon Failure:
> >> >> > Reason: Unknown user name or bad password
> >> >> > User Name: Secret
> >> >> > Domain:
> >> >> > Logon Type: 2
> >> >> > Logon Process: Advapi
> >> >> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> >> > Workstation Name: "member server"
> >> >> >
> >> >> > Event Type: Failure Audit
> >> >> > Event Source: Security
> >> >> > Event Category: Account Logon
> >> >> > Event ID: 681
> >> >> > Date: 6/11/2005
> >> >> > Time: 9:10:31 AM
> >> >> > User: NT AUTHORITYSYSTEM
> >> >> > Computer: member server
> >> >> > Description:
> >> >> > The logon to account: Secret
> >> >> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> >> > from workstation: member server
> >> >> > failed. The error code was: 3221225572
> >> >> >
> >> >> > Thanks
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
sure was a suspicous name. Well I don't believe it's anything malicious, so I
have disabled the service, I wasn't using that function anyways. Very
strange."
I don't think an Adaptec service would use a login username called "secret".
This has been happening to our server too. I have also researched it
online and have found a ton of people that are being hit with this possible
attack. I need to figure out which IP Address this is coming from. Can
someone please help me with this? This pattern seems to be that of a hacker
or process attempting to access our mail server in order to install a virus
or some type of malicious software.
It seems that it will just be a matter of time for this process to figure
out a username and password match, and then it will have access into our
server.
Should I follow this link someone posted? They are indicating an attack and
how to go about debugging it. I really need to know how to debug this issue.
(http://blogs.msdn.com/puneetgupta/archive/...exe-advapi.aspx)
Caller Process ID: 1972
Process: INETINFO.EXE
It has been going on as follows:
Event Viewer:
>Security
>>Failure Audit
=====================================
1st Time (227 Attempts)
=====================================
8/30/2009
10:35 AM - 2:33 PM
Logon Failure:
Reason: Unknown user name or bad password
User Name: guest
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -
=====================================
2nd Attempt (1 Attempt)
=====================================
8/31/2009
1:30 PM
Logon Failure:
Reason: Account currently disabled
User Name: test
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -
=====================================
3rd Attempt (37 Attempts)
=====================================
9/1/2009
5:09 PM
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: GLVSR05
Caller User Name: GLVSR05$
Caller Domain: GLVSROPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1972
Transited Services: -
Source Network Address: -
Source Port: -
=====================================
Thanks for the assistance,
--
Mike Spade
IT Supervisor, Network & Operations
Global Logistics Village, Inc.
(925) 543-0271
Mike.Spade@glovill.com
"Steven L Umbach" wrote:
> Excellent. Mystery solved. Curious that the account name was secret as you
> said. Anyhow good job and thanks for reporting back what worked! --- Steve
>
>
> "Samhain_Knight" wrote in message
> news:5869C896-F63C-4EFF-B601-EE67C466725E@microsoft.com...
> >I found the service that was causing the event. I started reststarting
> > non-essential services one by one until I found the service that was
> > generating the security event. I turned out to be a service from Adaptec.
> > The
> > server has an Adaptec RAID card. I installed Adpatecs RAID management
> > utility
> > on the server also. It is a browser base utility to manage your RAID. It
> > installs 3 services, one named "Adaptec Storage Manager Notifier" was set
> > to
> > logon on as local service and would generate the event everytime I
> > restarted
> > it. Why it was trying to use an account called "Secret" i have no idea,
> > but
> > it sure was a suspicous name. Well I don't believe it's anything
> > malicious,
> > so I have disabled the service, I wasn't using that function anyways. Very
> > strange.
> >
> > Thanks a lot Steve for your help you definetly pointed me in the right
> > direction on this! Great advice!
> > Keep on Keepin On.
> > "Steven L Umbach" wrote:
> >
> >> There is a free tool from SysInternals called Autoruns that may help you
> >> as
> >> it certainly looks like it is a local startup process. It shows the
> >> various
> >> start up programs that are on your computer and also gives you that
> >> ability
> >> to disable them individually which you may need to do in a trial and
> >> error
> >> method to try and track down what is causing your problem. It also could
> >> be
> >> a non essential service that is not used to boot into safe mode . Use
> >> services.msc to check your services and look in the "logon as column" to
> >> see
> >> if you can see anything there that may help. You can also selectively
> >> disable services with msconfig. If you are using Windows 2000 you will
> >> not
> >> have msconfig but you can download it from the internet. --- Steve
> >>
> >> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
> >> http://www.perfectdrivers.com/howto/msconfig.html --- Msconfig
> >>
> >> "Samhain_Knight" wrote in message
> >> news:F64A7BF1-543A-4F21-932D-94BD7FD84E0E@microsoft.com...
> >> >I cleared the event log, shutdown, unplugged the network cable, power
> >> >on,
> >> >and
> >> > logged in using domain credentials. The same event is shown for user
> >> > "Secret". I then rebooted and logged into safe mode, keeping the
> >> > network
> >> > cable unplugged and i didn't receive the event? Since the cable is
> >> > unplugged,
> >> > this must be a local process generated on the server? There are now
> >> > mapped
> >> > drives on this server either? Anymore input would be appreciated!
> >> >
> >> > Thanks!!!
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> Try booting into safe mode to see the those events are recorded or
> >> >> not.
> >> >> More
> >> >> than likely something is using that user account. You could also try
> >> >> rebooting with the computer disconnected from the network to see if
> >> >> those
> >> >> events are recorded and if they are you know for sure it is internally
> >> >> generated. I would also be sure to run a full system scan for malware.
> >> >> There
> >> >> is a tool that is used to troubleshoot account lockouts that may help
> >> >> as
> >> >> it
> >> >> creates a log that shows when a user is trying to authenticated and
> >> >> the
> >> >> associated process with times recorded to match to the security log.
> >> >> Also
> >> >> check to see if any mapped drives have persistent credentials
> >> >> associated
> >> >> with them. The link below is to the alockout.dll tool [be sure to read
> >> >> warning] and other documentation and tools that normally are used to
> >> >> track
> >> >> domain account lockouts but still have helpful information. I would
> >> >> also
> >> >> temporarily enable auditing of object access, privilige use, and
> >> >> process
> >> >> tracking for failure on that server to see if that helps pinpoint what
> >> >> is
> >> >> going on. --- Steve
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> "Samhain_Knight" wrote in
> >> >> message
> >> >> news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
> >> >> > I'm trying to track down a user logon attempt on one of my servers.
> >> >> > W2k AD enviroment
> >> >> > Whenever I reboot one of my member server i get an event 681/529.
> >> >> > What
> >> >> > scares me is that the username attempting to logon is called
> >> >> > "secret".
> >> >> > I
> >> >> > know
> >> >> > for sure it's not a domain user account nor a local user account on
> >> >> > the
> >> >> > server. I'm trying to find more info on this user. I only receive
> >> >> > this
> >> >> > event
> >> >> > when I reboot the server as if it's a service starting up. I don't
> >> >> > see
> >> >> > any
> >> >> > unknown services running on the server though? Any suggestions how
> >> >> > to
> >> >> > best
> >> >> > troubleshoot this? Here's a copy of the event:
> >> >> >
> >> >> > Event Type: Failure Audit
> >> >> > Event Source: Security
> >> >> > Event Category: Logon/Logoff
> >> >> > Event ID: 529
> >> >> > Date: 6/11/2005
> >> >> > Time: 9:10:31 AM
> >> >> > User: NT AUTHORITYSYSTEM
> >> >> > Computer: EVANS10
> >> >> > Description:
> >> >> > Logon Failure:
> >> >> > Reason: Unknown user name or bad password
> >> >> > User Name: Secret
> >> >> > Domain:
> >> >> > Logon Type: 2
> >> >> > Logon Process: Advapi
> >> >> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> >> > Workstation Name: "member server"
> >> >> >
> >> >> > Event Type: Failure Audit
> >> >> > Event Source: Security
> >> >> > Event Category: Account Logon
> >> >> > Event ID: 681
> >> >> > Date: 6/11/2005
> >> >> > Time: 9:10:31 AM
> >> >> > User: NT AUTHORITYSYSTEM
> >> >> > Computer: member server
> >> >> > Description:
> >> >> > The logon to account: Secret
> >> >> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> >> > from workstation: member server
> >> >> > failed. The error code was: 3221225572
> >> >> >
> >> >> > Thanks
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>