General discussion

Locked

NT Logon Security Auditing (Part II)

By matt_falenski ·
I guess what I should have asked was if there is a program that can tell me who is trying to hack into a server.
I get this info:

Logon Failure:
Reason: Unknown user name or bad password
User Name: Robert
Domain: DOUG.COM (sometimes RLD)
Logon Type: 3
Logon Process: NtLmSsp Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:\\DOUG

This IS NOT a machine on my network.
This IS NOT a user on my network.

The Workstation hame: \\DOUG does me no good. I need to get an IP address instead.
Any ideas?

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

NT Logon Security Auditing (Part II)

by DC1 In reply to NT Logon Security Auditin ...

Did someone plug a home laptop into your network? Do you have access to the internet? Can you do a nslookup for doug.com? If so you will get the ip address that way.

Collapse -

NT Logon Security Auditing (Part II)

by matt_falenski In reply to NT Logon Security Auditin ...

No on the laptop, doug.com didnt help, probably just put that in their config.

Collapse -

NT Logon Security Auditing (Part II)

by Phinaddict In reply to NT Logon Security Auditin ...

Try to download blackice defender. If they are doing any suspicious activity it will give you the machine name and ip address of the intruder. You can then use neotrace to track them to their isp, location, etc.

Collapse -

NT Logon Security Auditing (Part II)

by matt_falenski In reply to NT Logon Security Auditin ...

I need something for numerous PCs

Collapse -

NT Logon Security Auditing (Part II)

by calves In reply to NT Logon Security Auditin ...

Look @ your RAS/RRAS monitor/log to see if some one could be coming in through you RAS/RRAS or VPN.
If you have an IIS Server, you might consider saving those error messages and disallowing those particular Domain to come into your WEB.

Good Luck!

Collapse -

NT Logon Security Auditing (Part II)

by matt_falenski In reply to NT Logon Security Auditin ...

No, looks like someone trying to hack in.

Collapse -

NT Logon Security Auditing (Part II)

by carlec In reply to NT Logon Security Auditin ...

Most likely the computer DOUG is on your LAN somewhere, since the Logon Type 3 is an attempt to connect via the Network.

IF the Server is connected to the Interent (a Web Server) and you have secured content that pops a logon dialog to the Web Client then it may be just someone on the interent being denied access. IF the Server is NOT connected to the Interent then it must be on your wire. And if it is on your wire then it must have an IP Address in your network range, and what would knowing the IP Address it is using gain you?

A local machine logon by username ROBERT to a machine named DOUG that was on your wire with an IP Address in your range, and running the Microsoft Client, who simply attempted to view the shares on the Server using Network Neigborhood / Explorer and failed to enter a valid Domain\Username and Password would generate this Log Entry.

IF DOUG is not sharing files or printers (win 9x) or is NT and not running the Server Service, or started the Server Service /hidden it will

Collapse -

NT Logon Security Auditing (Part II)

by matt_falenski In reply to NT Logon Security Auditin ...

Still don't know how to find out more info, but thanks.

Back to Windows Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums