Bogus Computer Accounts

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I have invalid attempt to login to my administrator
account with and error id 681 in my event viewer. The
attempt is made from a computer that does not exist. I
can not ping, trace or anything to the computer name in
the log. How can I find where this is comming from. Can I
gather additional information in the logs such as MAC
address or IP address? We have a PIX501 firewall in place
with one point of access to our facility. All trafic is
blocked incomming accept e-mail and http. That trafic
comes directly to a specific IP only. It is on a seperate
server then the invalid attemps. Not sure how to trace
this down. Any help would be appreciated.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

First scan your firewall from outside the network to make sure that it still is
configured correctly. Ideally your firewall should also by default block all outbound
traffic except that which is authorized. You may either have an infected computer on
the network that possibly has a back door installed in it or somebody is plugging an
unauthorized computer into your network somewhere. To get more thorough information
on the computer where the events are happening, you could install a personal firewall
like Sygate [free to try], disable the firewall and just use it for it's logging
which is pretty extensive and the logs may give you more clues. Also check your dhcp
leases, wins database, and dns host records [if dynamic dns is used] to see if the
computer name shows up anywhere which may give you more clues. Since you are hosting
a web server, you may want to run IIS Lockdown tool on it if you have not already
being sure to have a full backup of it including the System State and configuration
info via IIS Management console. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC&displaylang=en
--- IIS Lockdown tool.

"Travis" <twillmon@unitedengines.com> wrote in message
news:1d8f701c45486$c681e950$a601280a@phx.gbl...
> I have invalid attempt to login to my administrator
> account with and error id 681 in my event viewer. The
> attempt is made from a computer that does not exist. I
> can not ping, trace or anything to the computer name in
> the log. How can I find where this is comming from. Can I
> gather additional information in the logs such as MAC
> address or IP address? We have a PIX501 firewall in place
> with one point of access to our facility. All trafic is
> blocked incomming accept e-mail and http. That trafic
> comes directly to a specific IP only. It is on a seperate
> server then the invalid attemps. Not sure how to trace
> this down. Any help would be appreciated.