Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Events from one domain logged on a different domain's DC

from [Boris Yakubov] Network Security [Permanent Link]
Subject: Events from one domain logged on a different domain's DC
Date: Tue, 7 Dec 2004 16:22:48 -0800 
Ok, here is a real stupid scenario and question if anyone can help explain the 
behavior.

I have 2 Windows 2000 domains, DomainA and DomainB, NO trust relationship 
exists between the two domains and both are on different subnets separated by 
firewalls.  The FQDN's are DomainA.ACME.COM and DomainB.ACME.COM respectively.  
DomainA has success/failure audit enabled for account logon/logof etc, DomainB 
does not, in fact no auditing is enabled in DomainB.  There is a user JDoe in 
DomainB who logs on and off a Windows XP Pro SP2 workstation every day (machine 
name JDoe-PC), there is no account for JDoe or JDoe-PC in DomainA.  Every now 
and again with no particular consistency, or at least not that I have been able 
to identify yet, domain controllers in DomainA record in the security log 
failure 'logon/logoff' event 681 with the following message:

The logon to account: JDoe
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: JDoe-PC
failed. The error code was: 3221225572

And an event 529 as follows:

Logon Failure:
 Reason:  Unknown user name or bad password
 User Name: JDoe
 Domain:  DomainB
 Logon Type: 3
 Logon Process: NtLmSsp 
 Authentication Package: NTLM
 Workstation Name: JDoe-PC

Both events are logged at the same time.  No connection was ever established 
(even temporary with alternate credentials) from JDoe-PC to any of the devices 
in DomainA.

This article http://support.microsoft.com/?kbid=837142 describes the exact 
event id 681 and message and has a 'hotfix', however, makes no mention of the 
scenario I'm seeing i.e. the events get recorded on a DC in a completely 
different domain.  I have not yet obtained the hotfix, figured first should try 
to "ask the audience" and if I understand correctly this was fixed in SP2, 
which I've already tried to re-apply, but to no avail.  Please let me know if 
anyone has seen anything like this before.  Thank you.

Regards,

Boris

--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.

--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Events from one domain logged on a different domain's DC, Boris Yakubov <=
Previous by Date:  Address Bar Spoophing for the Pheeshies: IntotheNet Explorer 6, http-equiv@excite.com
Next by Date:  HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !, http-equiv@excite.com
Previous by Thread:  Address Bar Spoophing for the Pheeshies: IntotheNet Explorer 6, http-equiv@excite.com
Next by Thread:  HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !, http-equiv@excite.com
Indexes:  [Date] [Thread] [Top] [All Lists]