Last week, in our NT security logs, I noticed that there were repeated attempts
by a logged in user to access restricted directories on our data drive. At the
same time, I noticed that there were several login attempts from unknown users at
unknown domains.
Here is what we have:
NT Server 4.0 SP4.0
Win 95/98 Clients
Static TCP/IP network addresses
Individual ISP dial-ups into individual computers.
Here is what I know:
– After the ISP’s have been disconnected, we are stillgetting repeated attempts
on the server from these users.
– All of the computers have tested negative for Viruses.
– The users that are accessing these files are not “problem” users. In fact, one
of the attempts was after everyone had gone home for the night.
– All of the computers have been patched with the latest security updates.
– The attempts run the entire shared drive, every 2 hours.
Here is what I have done to try to isolate the problem:
– I have run anti-virus software onthe pc’s on the network and they show nothing
infected. (On the machines where the logins and access requests are originating
I’ve run thorough scans via McAfee clinic)
– I have readdressed the network with a new TCP/IP address (We use static
addressing)NOTE: Since readdressing, there doesn’t seem to be anymore “alien” logins.
Here are my questions:
– Is there some kind of system problem on the server that would make it look like
a user was repeatedly attempting to access the directories?
– Is there a way that an access can be made even though the Dial-up connections
are closed?
– Is it possible that through some fluke, we are being seen as part of another
network?
I’m not sure if I am missing the obvious here somewhere. Any help would be
greatly appreciated.
Thanks!
Alyson