| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
open the event in event viewer.
Click the button under the down arrow. looks like a notepad This copies the event to clipboard. Then you can paste to the thread -- Glenn L CCNA, MCSE 2000, MCSE 2003 + Security "Bobby28" <(E-Mail Removed)> wrote in message news  59D0A4A-0B01-406A-9FB9-(E-Mail Removed)...> Sorry Glenn how would I do that? When I click the properties of the audit and > the box comes up, how do you copy the contents into here? Sorry I am just > learning. > > "Glenn L" wrote: > > > Please paste the contents of the error into this thread so we can help you > > identify what might be happening. > > > > > > -- > > Glenn L > > CCNA, MCSE 2000, MCSE 2003 + Security > > > > > > "Bobby28" <(E-Mail Removed)> wrote in message > > news:ABF4C30A-EC82-4359-ADED-(E-Mail Removed)... > > > My 2 servers are getting slammed with failure audits. I can clear the > > > security log in event viewer and then refresh and there are already 400 > > > failure audits. Each time I refresh there are more and more. Is this some > > > type of dictionary attack????? The event ids are showing user accounts > > that > > > dont exsist, however they seem to be coming from only windows 2000 > > machines(2 > > > of them to be exact). The rest are xp and I have my 2 servers a 2000 and > > > 2003. I had been playing with mltest the other day, could that have caused > > > this problem? > > > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Glen thanks for the help. This is the message on the 2003 & 2000 Servers. I
substituted MYDOMAIN and SERVER NAME, for the actual names. That account in the first message is someone who no longer works here. We also run AS/400 Mainframe, so not sure if that has something to do with it or not. I may be getting somewhere. The first event post is from the 2003 Server, and the second is from the 2000 Server(which runs in the same box as the mainframe). The funny thing the 2000, has 2 active network adapters one is for the LAN, the other is for AS400 internal. However the AS400 internal connections preferred dns setting is 127.0.0.1 which is a loopback address. I have never seen this before so it was new to me. It was set up long before I came here. But I saw somewhere having 127.0.0.1 as a trusted address in DNS?????? Anyway here are audits. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 672 Date: 10/22/2004 Time: 8:18:14 AM User: NT AUTHORITY\SYSTEM Computer: [2003 SERVER NAME] Description: Authentication Ticket Request: User Name: cdunigan Supplied Realm Name: [MYDOMAIN].COM User ID: - Service Name: krbtgt/[MYDOMAIN].COM Service ID: - Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: - Pre-Authentication Type: - Client Address: 10.208.70.103 Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 10/21/2004 Time: 4:58:28 PM User: NT AUTHORITY\SYSTEM Computer: [2000 SERVER NAME] Description: Pre-authentication failed: User Name: supervisor User ID: [MYDOMAIN]\supervisor Service Name: krbtgt/[MYDOMAIN].COM Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 127.0.0.1 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Glenn L" wrote: > open the event in event viewer. > Click the button under the down arrow. looks like a notepad > > This copies the event to clipboard. > Then you can paste to the thread > > -- > Glenn L > CCNA, MCSE 2000, MCSE 2003 + Security > > > "Bobby28" <(E-Mail Removed)> wrote in message > news 59D0A4A-0B01-406A-9FB9-(E-Mail Removed)...> > Sorry Glenn how would I do that? When I click the properties of the audit > and > > the box comes up, how do you copy the contents into here? Sorry I am just > > learning. > > > > "Glenn L" wrote: > > > > > Please paste the contents of the error into this thread so we can help > you > > > identify what might be happening. > > > > > > > > > -- > > > Glenn L > > > CCNA, MCSE 2000, MCSE 2003 + Security > > > > > > > > > "Bobby28" <(E-Mail Removed)> wrote in message > > > news:ABF4C30A-EC82-4359-ADED-(E-Mail Removed)... > > > > My 2 servers are getting slammed with failure audits. I can clear the > > > > security log in event viewer and then refresh and there are already > 400 > > > > failure audits. Each time I refresh there are more and more. Is this > some > > > > type of dictionary attack????? The event ids are showing user accounts > > > that > > > > dont exsist, however they seem to be coming from only windows 2000 > > > machines(2 > > > > of them to be exact). The rest are xp and I have my 2 servers a 2000 > and > > > > 2003. I had been playing with mltest the other day, could that have > caused > > > > this problem? > > > > > > > > > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Another thing Glen, as I said in the 2003 Event Viewer it shows an address,
however the addresses it shows are only on 2000 boxes? I went to 2 of them and the cpu is pegged at 100% "Bobby28" wrote: > Glen thanks for the help. This is the message on the 2003 & 2000 Servers. I > substituted MYDOMAIN and SERVER NAME, for the actual names. That account in > the first message is someone who no longer works here. We also run AS/400 > Mainframe, so not sure if that has something to do with it or not. I may be > getting somewhere. The first event post is from the 2003 Server, and the > second is from the 2000 Server(which runs in the same box as the mainframe). > The funny thing the 2000, has 2 active network adapters one is for the LAN, > the other is for AS400 internal. However the AS400 internal connections > preferred dns setting is 127.0.0.1 which is a loopback address. I have never > seen this before so it was new to me. It was set up long before I came here. > But I saw somewhere having 127.0.0.1 as a trusted address in DNS?????? Anyway > here are audits. > > > > Event Type: Failure Audit > Event Source: Security > Event Category: Account Logon > Event ID: 672 > Date: 10/22/2004 > Time: 8:18:14 AM > User: NT AUTHORITY\SYSTEM > Computer: [2003 SERVER NAME] > Description: > Authentication Ticket Request: > User Name: cdunigan > Supplied Realm Name: [MYDOMAIN].COM > User ID: - > Service Name: krbtgt/[MYDOMAIN].COM > Service ID: - > Ticket Options: 0x40810010 > Result Code: 0x6 > Ticket Encryption Type: - > Pre-Authentication Type: - > Client Address: 10.208.70.103 > Certificate Issuer Name: > Certificate Serial Number: > Certificate Thumbprint: > > Event Type: Failure Audit > Event Source: Security > Event Category: Account Logon > Event ID: 675 > Date: 10/21/2004 > Time: 4:58:28 PM > User: NT AUTHORITY\SYSTEM > Computer: [2000 SERVER NAME] > Description: > Pre-authentication failed: > User Name: supervisor > User ID: [MYDOMAIN]\supervisor > Service Name: krbtgt/[MYDOMAIN].COM > Pre-Authentication Type: 0x2 > Failure Code: 0x18 > Client Address: 127.0.0.1 > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > > > > > "Glenn L" wrote: > > > open the event in event viewer. > > Click the button under the down arrow. looks like a notepad > > > > This copies the event to clipboard. > > Then you can paste to the thread > > > > -- > > Glenn L > > CCNA, MCSE 2000, MCSE 2003 + Security > > > > > > "Bobby28" <(E-Mail Removed)> wrote in message > > news 59D0A4A-0B01-406A-9FB9-(E-Mail Removed)...> > > Sorry Glenn how would I do that? When I click the properties of the audit > > and > > > the box comes up, how do you copy the contents into here? Sorry I am just > > > learning. > > > > > > "Glenn L" wrote: > > > > > > > Please paste the contents of the error into this thread so we can help > > you > > > > identify what might be happening. > > > > > > > > > > > > -- > > > > Glenn L > > > > CCNA, MCSE 2000, MCSE 2003 + Security > > > > > > > > > > > > "Bobby28" <(E-Mail Removed)> wrote in message > > > > news:ABF4C30A-EC82-4359-ADED-(E-Mail Removed)... > > > > > My 2 servers are getting slammed with failure audits. I can clear the > > > > > security log in event viewer and then refresh and there are already > > 400 > > > > > failure audits. Each time I refresh there are more and more. Is this > > some > > > > > type of dictionary attack????? The event ids are showing user accounts > > > > that > > > > > dont exsist, however they seem to be coming from only windows 2000 > > > > machines(2 > > > > > of them to be exact). The rest are xp and I have my 2 servers a 2000 > > and > > > > > 2003. I had been playing with mltest the other day, could that have > > caused > > > > > this problem? > > > > > > > > > > > > > > > > > > |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| anything happening in Netland? | The Natural Philosopher | Broadband | 5 | 04-24-2011 08:58 AM |
| what is happening here? | mxzyplex | Wireless Internet | 3 | 02-07-2011 11:04 PM |
| What is happening here???? Any ideia????? | Carlos Arruda | Broadband | 11 | 06-12-2005 03:46 PM |
| nothing happening | Gordon J. Rattray | Windows Networking | 1 | 05-30-2004 04:18 AM |
| What is happening with 802.11a? | Leo C Waible III | Wireless Internet | 2 | 01-10-2004 07:25 PM |
Linear Mode
