Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Failed admin logins

from [McKee, Graydon] Network Security [Permanent Link]
Subject: RE: Failed admin logins
Date: Sat, 20 Nov 2004 19:19:43 -0500 
Understanding that my suggestion may not always be possible - pull the plug and
wait to see who screams.  Outside of that you could check the audit logs as has
been suggested or sniff the packets going to that machine and isolate who is
communicating with that box with the logs of when the login occurs.  Once you
know who is talking you can then examine that box to see what would need to
interact with the server in question.  

Graydon McKee - GSEC
Senior Security Architect, Federal Information Security Practice
Unisys  US Federal Government Group
Office: 703-439-5991   Fax: 703-439-3216
Mobile: 240-472-7148 

I have recently changed my digital signature, please update your settings if you
have saved my previous one. Thank You. 

 


-----Original Message-----
From: GuidoZ [mailto:uberguidoz@gmail.com] 
Sent: Friday, November 19, 2004 6:01 AM
To: Joe Quigley
Cc: security-basics@securityfocus.com
Subject: Re: Failed admin logins

Is auditing enabled (or possible)? By auditing failed attempts, then
checking the logs in the event viewer, it should lead you right to the
source.

--
Peace. ~G


On Thu, 18 Nov 2004 13:30:33 -0500, Joe Quigley
<jquigley@iir-central.com> wrote:

Hello,

I have a machine that is trying to log in as the domain administrator
but can't figure out what application/service is doing it. I've checked
all the services that login as administrator (yes, very bad idea to use
admin for services, I inherited this setup) but that does not seem to be
the problem as the services start. I even retyped the password in the
services applet just to be sure. Anyone have any thoughts on how to
track down the source of this rogue login??

Thanks in advance,

Joe

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Securing Printers, Corey Watts-Jones
Next by Date:  FW: HIPAA training, Newberry, Julie S
Previous by Thread:  RE: Failed admin logins, Handy, Mark (IT)
Next by Thread:  RE: Failed admin logins, Burton M. Strauss III
Indexes:  [Date] [Thread] [Top] [All Lists]