Event Viewer - Security Log

C

CCI Helpdesk

Folks,

We are seeing this entry in the Security log of our event viewer on one of
our servers.

It is usually followed by a failed attempt to login with a standard user
account.
The account usually gets "locked out"

This is what we see prior to the "lock out"

Logon Failure:
Reason: Unknown user name or bad password
User Name: isdiua
Domain: CCI-USA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM

Has anyone see this before? Is someone piggybacking on someone's login the
network from a remote computer?

Please advise.

CCI Helpdesk.
 
R

Roger Abell [MVP]

There is no way to tell you what is happening from the
info provided, except that a valid account is being tried
with an invalid password (based on what you said) and
that it is using NTLM instead of Kerberos to attempt a
network login (such as share access). Other events
recorded should be showing you the machine name of
the origin of the attempts.
This might be something as simple as that account
having recently undergone a password change but
the account is used interactively and has shares that
are defined to be persistent (and are now using the
wrong password).

Roger

"CCI Helpdesk" <CCIHelpdesk@discussions.microsoft.com> wrote in message
news:C65AA1F4-18F8-4152-9D42-D97E4DD69D74@microsoft.com...
> Folks,
>
> We are seeing this entry in the Security log of our event viewer on one of
> our servers.
>
> It is usually followed by a failed attempt to login with a standard user
> account.
> The account usually gets "locked out"
>
> This is what we see prior to the "lock out"
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: isdiua
> Domain: CCI-USA
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
>
> Has anyone see this before? Is someone piggybacking on someone's login the
> network from a remote computer?
>
> Please advise.
>
> CCI Helpdesk.
>
 
C

CCI Helpdesk

Roger,

Thanks - this is a Citrix Server - we do not have an account "isdiua" in our
domain by that name.

Unless it is some acronym for a Microsoft service?

It is like we are "hit" with that login as an initial login attempt for a
non-account then attempting to user our Helpdesk account to login. After that
the next entry shows the Helpdesk account has been locked out. It looks like
we are being probed with some password attack agent - is there a way to
detect that?

We are trying to figure out how the "vermin" are attempting to use the
single logon NTLM authentication to gain access.

Thanks
CCI Helpdesk


"CCI Helpdesk" wrote:

> Folks,
>
> We are seeing this entry in the Security log of our event viewer on one of
> our servers.
>
> It is usually followed by a failed attempt to login with a standard user
> account.
> The account usually gets "locked out"
>
> This is what we see prior to the "lock out"
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: isdiua
> Domain: CCI-USA
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
>
> Has anyone see this before? Is someone piggybacking on someone's login the
> network from a remote computer?
>
> Please advise.
>
> CCI Helpdesk.
>
 
J

jwgoerlich@gmail.com

That is strange. Is Vnc installed on this Citrix server, by chance?

J Wolfgang Goerlich

On Sep 6, 11:20 am, CCI Helpdesk
<CCIHelpd...@discussions.microsoft.com> wrote:
> Roger,
>
> Thanks - this is a Citrix Server - we do not have an account "isdiua" in our
> domain by that name.
>
> Unless it is some acronym for a Microsoft service?
>
> It is like we are "hit" with that login as an initial login attempt for a
> non-account then attempting to user our Helpdesk account to login. After that
> the next entry shows the Helpdesk account has been locked out. It looks like
> we are being probed with some password attack agent - is there a way to
> detect that?
>
> We are trying to figure out how the "vermin" are attempting to use the
> single logon NTLM authentication to gain access.
>
> Thanks
> CCI Helpdesk
>
>
>
> "CCI Helpdesk" wrote:
> > Folks,
>
> > We are seeing this entry in the Security log of our event viewer on one of
> > our servers.
>
> > It is usually followed by a failed attempt to login with a standard user
> > account.
> > The account usually gets "locked out"
>
> > This is what we see prior to the "lock out"
>
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: isdiua
> > Domain: CCI-USA
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
>
> > Has anyone see this before? Is someone piggybacking on someone's login the
> > network from a remote computer?
>
> > Please advise.
>
> > CCI Helpdesk.- Hide quoted text -
>
> - Show quoted text -
 
C

CCI Helpdesk

JWG,

Yes, we have UltraVNC installed.

CCI


"jwgoerlich@gmail.com" wrote:

> That is strange. Is Vnc installed on this Citrix server, by chance?
>
> J Wolfgang Goerlich
>
> On Sep 6, 11:20 am, CCI Helpdesk
> <CCIHelpd...@discussions.microsoft.com> wrote:
> > Roger,
> >
> > Thanks - this is a Citrix Server - we do not have an account "isdiua" in our
> > domain by that name.
> >
> > Unless it is some acronym for a Microsoft service?
> >
> > It is like we are "hit" with that login as an initial login attempt for a
> > non-account then attempting to user our Helpdesk account to login. After that
> > the next entry shows the Helpdesk account has been locked out. It looks like
> > we are being probed with some password attack agent - is there a way to
> > detect that?
> >
> > We are trying to figure out how the "vermin" are attempting to use the
> > single logon NTLM authentication to gain access.
> >
> > Thanks
> > CCI Helpdesk
> >
> >
> >
> > "CCI Helpdesk" wrote:
> > > Folks,
> >
> > > We are seeing this entry in the Security log of our event viewer on one of
> > > our servers.
> >
> > > It is usually followed by a failed attempt to login with a standard user
> > > account.
> > > The account usually gets "locked out"
> >
> > > This is what we see prior to the "lock out"
> >
> > > Logon Failure:
> > > Reason: Unknown user name or bad password
> > > User Name: isdiua
> > > Domain: CCI-USA
> > > Logon Type: 3
> > > Logon Process: NtLmSsp
> > > Authentication Package: NTLM
> >
> > > Has anyone see this before? Is someone piggybacking on someone's login the
> > > network from a remote computer?
> >
> > > Please advise.
> >
> > > CCI Helpdesk.- Hide quoted text -
> >
> > - Show quoted text -
>
>
>
 
J

jwgoerlich@gmail.com

If I recall correctly, UltraVNC tests to see if the Guest user is
enabled by logging on as "isdiua". This user account does not exist,
of course, and hence the "Unknown user name" failure. When Guest is
enabled, the isdiua will login with guest access (even though the
account does not exist).

So, my guess is someone is attempting to login over Vnc with the
Helpdesk account. UltraVNC first tries guest access, which fails, and
then tries explicit Helpdesk credentials.

If this happens regularly, then you could use TCPView. Run it on the
Citrix server and watch which TCP connections open at the time the
event occurs. Watch to see which IP address is attempting the Vnc
connection.

Regards,

J Wolfgang Goerlich


TCPView for Windows v2.4
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

On Sep 6, 1:02 pm, CCI Helpdesk
<CCIHelpd...@discussions.microsoft.com> wrote:
> JWG,
>
> Yes, we have UltraVNC installed.
>
> CCI
>
>
>
> "jwgoerl...@gmail.com" wrote:
> > That is strange. Is Vnc installed on this Citrix server, by chance?
>
> > J Wolfgang Goerlich
>
> > On Sep 6, 11:20 am, CCI Helpdesk
> > <CCIHelpd...@discussions.microsoft.com> wrote:
> > > Roger,
>
> > > Thanks - this is a Citrix Server - we do not have an account "isdiua" in our
> > > domain by that name.
>
> > > Unless it is some acronym for a Microsoft service?
>
> > > It is like we are "hit" with that login as an initial login attempt for a
> > > non-account then attempting to user our Helpdesk account to login. After that
> > > the next entry shows the Helpdesk account has been locked out. It looks like
> > > we are being probed with some password attack agent - is there a way to
> > > detect that?
>
> > > We are trying to figure out how the "vermin" are attempting to use the
> > > single logon NTLM authentication to gain access.
>
> > > Thanks
> > > CCI Helpdesk
>
> > > "CCI Helpdesk" wrote:
> > > > Folks,
>
> > > > We are seeing this entry in the Security log of our event viewer on one of
> > > > our servers.
>
> > > > It is usually followed by a failed attempt to login with a standard user
> > > > account.
> > > > The account usually gets "locked out"
>
> > > > This is what we see prior to the "lock out"
>
> > > > Logon Failure:
> > > > Reason: Unknown user name or bad password
> > > > User Name: isdiua
> > > > Domain: CCI-USA
> > > > Logon Type: 3
> > > > Logon Process: NtLmSsp
> > > > Authentication Package: NTLM
>
> > > > Has anyone see this before? Is someone piggybacking on someone's login the
> > > > network from a remote computer?
>
> > > > Please advise.
>
> > > > CCI Helpdesk.- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
 
C

CCI Helpdesk

J Wolfgang Goerlich,

That may be the culprit... if it is the "guest" service of UltraVnc.....
then that maybe it.

I launched the TCPViewer - "locked" the account - closed VNC - then went
back in...

Logged back in........I saw the "isduia" attempt followed by my login.

Even though I logged in with a valid account I still got the following
"failure audits" in the Security Event Log:

Logon Failure:
Reason: Unknown user name or bad password
User Name: isdiua
Domain: CCI-USA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PA-GRAPEFRUIT


by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: PA-GRAPEFRUIT
failed. The error code was: 3221225

and the ...

Logon Failure:
Reason: Unknown user name or bad password
User Name: boris
Domain: PA-GRAPEFRUIT
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: PA-CITRIX02


Maybe it is the VNC?

Any thoughts?

Thanks - CCI Helpdesk

"jwgoerlich@gmail.com" wrote:

> If I recall correctly, UltraVNC tests to see if the Guest user is
> enabled by logging on as "isdiua". This user account does not exist,
> of course, and hence the "Unknown user name" failure. When Guest is
> enabled, the isdiua will login with guest access (even though the
> account does not exist).
>
> So, my guess is someone is attempting to login over Vnc with the
> Helpdesk account. UltraVNC first tries guest access, which fails, and
> then tries explicit Helpdesk credentials.
>
> If this happens regularly, then you could use TCPView. Run it on the
> Citrix server and watch which TCP connections open at the time the
> event occurs. Watch to see which IP address is attempting the Vnc
> connection.
>
> Regards,
>
> J Wolfgang Goerlich
>
>
> TCPView for Windows v2.4
> http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
>
> On Sep 6, 1:02 pm, CCI Helpdesk
> <CCIHelpd...@discussions.microsoft.com> wrote:
> > JWG,
> >
> > Yes, we have UltraVNC installed.
> >
> > CCI
> >
> >
> >
> > "jwgoerl...@gmail.com" wrote:
> > > That is strange. Is Vnc installed on this Citrix server, by chance?
> >
> > > J Wolfgang Goerlich
> >
> > > On Sep 6, 11:20 am, CCI Helpdesk
> > > <CCIHelpd...@discussions.microsoft.com> wrote:
> > > > Roger,
> >
> > > > Thanks - this is a Citrix Server - we do not have an account "isdiua" in our
> > > > domain by that name.
> >
> > > > Unless it is some acronym for a Microsoft service?
> >
> > > > It is like we are "hit" with that login as an initial login attempt for a
> > > > non-account then attempting to user our Helpdesk account to login. After that
> > > > the next entry shows the Helpdesk account has been locked out. It looks like
> > > > we are being probed with some password attack agent - is there a way to
> > > > detect that?
> >
> > > > We are trying to figure out how the "vermin" are attempting to use the
> > > > single logon NTLM authentication to gain access.
> >
> > > > Thanks
> > > > CCI Helpdesk
> >
> > > > "CCI Helpdesk" wrote:
> > > > > Folks,
> >
> > > > > We are seeing this entry in the Security log of our event viewer on one of
> > > > > our servers.
> >
> > > > > It is usually followed by a failed attempt to login with a standard user
> > > > > account.
> > > > > The account usually gets "locked out"
> >
> > > > > This is what we see prior to the "lock out"
> >
> > > > > Logon Failure:
> > > > > Reason: Unknown user name or bad password
> > > > > User Name: isdiua
> > > > > Domain: CCI-USA
> > > > > Logon Type: 3
> > > > > Logon Process: NtLmSsp
> > > > > Authentication Package: NTLM
> >
> > > > > Has anyone see this before? Is someone piggybacking on someone's login the
> > > > > network from a remote computer?
> >
> > > > > Please advise.
> >
> > > > > CCI Helpdesk.- Hide quoted text -
> >
> > > > - Show quoted text -- Hide quoted text -
> >
> > - Show quoted text -
>
>
>
 
J

jwgoerlich@gmail.com

When you say that you "closed VNC - then went back in", how are you
going back in? Is this on the server console itself, over Vnc, or over
an ICA or RDP connection?

On Sep 6, 3:40 pm, CCI Helpdesk
<CCIHelpd...@discussions.microsoft.com> wrote:
> J Wolfgang Goerlich,
>
> That may be the culprit... if it is the "guest" service of UltraVnc.....
> then that maybe it.
>
> I launched the TCPViewer - "locked" the account - closed VNC - then went
> back in...
>
> Logged back in........I saw the "isduia" attempt followed by my login.
>
> Even though I logged in with a valid account I still got the following
> "failure audits" in the Security Event Log:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: isdiua
> Domain: CCI-USA
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: PA-GRAPEFRUIT
>
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: PA-GRAPEFRUIT
> failed. The error code was: 3221225
>
> and the ...
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: boris
> Domain: PA-GRAPEFRUIT
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: PA-CITRIX02
>
> Maybe it is the VNC?
>
> Any thoughts?
>
> Thanks - CCI Helpdesk
>
 
C

CCI Helpdesk

J Wolfgang Goerlich,

I "locked" the login - then closed the VNC application - then went back in
via VNC.

Then saw the 3 "failure audits" with the info below - I was able to login to
VNC and the server without any issues.

TCPViewer does not have a time stamp...... the event viewer did match up to
the times that I logged in - it is so weird.

-CCI Helpdesk.

"jwgoerlich@gmail.com" wrote:

> When you say that you "closed VNC - then went back in", how are you
> going back in? Is this on the server console itself, over Vnc, or over
> an ICA or RDP connection?
>
> On Sep 6, 3:40 pm, CCI Helpdesk
> <CCIHelpd...@discussions.microsoft.com> wrote:
> > J Wolfgang Goerlich,
> >
> > That may be the culprit... if it is the "guest" service of UltraVnc.....
> > then that maybe it.
> >
> > I launched the TCPViewer - "locked" the account - closed VNC - then went
> > back in...
> >
> > Logged back in........I saw the "isduia" attempt followed by my login.
> >
> > Even though I logged in with a valid account I still got the following
> > "failure audits" in the Security Event Log:
> >
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: isdiua
> > Domain: CCI-USA
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: PA-GRAPEFRUIT
> >
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: PA-GRAPEFRUIT
> > failed. The error code was: 3221225
> >
> > and the ...
> >
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: boris
> > Domain: PA-GRAPEFRUIT
> > Logon Type: 2
> > Logon Process: Advapi
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Workstation Name: PA-CITRIX02
> >
> > Maybe it is the VNC?
> >
> > Any thoughts?
> >
> > Thanks - CCI Helpdesk
> >
>
>
 
J

jwgoerlich@gmail.com

Alright. Please stop Vnc on the server and connect from your client
machine to the server via published desktop or Rdp. Are the failure
audit events logged? If not, then this points directly to Vnc.

Regarding TCPView, I meant that you could use it to determine the IP
address of who is attempting the Vnc connection with the helpdesk
credentials. In your current testing, since you already know that it
is your machine making the connection, there is not much reason to use
TCPView.

J Wolfgang Goerlich

On Sep 6, 4:02 pm, CCI Helpdesk
<CCIHelpd...@discussions.microsoft.com> wrote:
> J Wolfgang Goerlich,
>
> I "locked" the login - then closed the VNC application - then went back in
> via VNC.
>
> Then saw the 3 "failure audits" with the info below - I was able to login to
> VNC and the server without any issues.
>
> TCPViewer does not have a time stamp...... the event viewer did match up to
> the times that I logged in - it is so weird.
>
> -CCI Helpdesk.
>
>
>
> "jwgoerl...@gmail.com" wrote:
> > When you say that you "closed VNC - then went back in", how are you
> > going back in? Is this on the server console itself, over Vnc, or over
> > an ICA or RDP connection?
>
> > On Sep 6, 3:40 pm, CCI Helpdesk
> > <CCIHelpd...@discussions.microsoft.com> wrote:
> > > J Wolfgang Goerlich,
>
> > > That may be the culprit... if it is the "guest" service of UltraVnc.....
> > > then that maybe it.
>
> > > I launched the TCPViewer - "locked" the account - closed VNC - then went
> > > back in...
>
> > > Logged back in........I saw the "isduia" attempt followed by my login.
>
> > > Even though I logged in with a valid account I still got the following
> > > "failure audits" in the Security Event Log:
>
> > > Logon Failure:
> > > Reason: Unknown user name or bad password
> > > User Name: isdiua
> > > Domain: CCI-USA
> > > Logon Type: 3
> > > Logon Process: NtLmSsp
> > > Authentication Package: NTLM
> > > Workstation Name: PA-GRAPEFRUIT
>
> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > from workstation: PA-GRAPEFRUIT
> > > failed. The error code was: 3221225
>
> > > and the ...
>
> > > Logon Failure:
> > > Reason: Unknown user name or bad password
> > > User Name: boris
> > > Domain: PA-GRAPEFRUIT
> > > Logon Type: 2
> > > Logon Process: Advapi
> > > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > Workstation Name: PA-CITRIX02
>
> > > Maybe it is the VNC?
>
> > > Any thoughts?
>
> > > Thanks - CCI Helpdesk- Hide quoted text -
>
> - Show quoted text -
 
You must log in or register to reply here.

Similar threads

P
What is the difference of the successful run of the same app but one works other does not work - File share Event viewer
Replies
0
Views
38
PZac-CAN
P
I
Logon Event (Event ID 4648). Events only log during a successful remote desktop in to the computer.
Replies
0
Views
30
ItsChefMatt
I
S
A specific user logs in normally and after 30 minutes the user gets locked out.
Replies
0
Views
41
SalmaTamerr
S
S
I am getting excessive User Account Management Event ID 5379 on startup
Replies
0
Views
53
stephencadams
S
V
How Does Windows Hello for Business Remote Desktop get configured on my Windows 10 Home and activity in Event Viewer?
Replies
0
Views
63
vickyl71
V
Back
Top Bottom