Announcement

Collapse
No announcement yet.

Suspicious activity on the network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Suspicious activity on the network

    Hi,
    from time to time my NMS alerts me that someone tries to connect to my SQL server using the account "serviser" which is domain admin.
    Here is the event log entry:

    An account failed to log on.
    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: serviser
    Account Domain: UF
    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc000006a
    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -
    Network Information:
    Workstation Name: STUDENTPRODEKAN
    Source Network Address: 172.21.21.90
    Source Port: 2338
    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0


    How can I be sure if it is a virus, worm or a malicous user?

    Thank you in advance.

  • #2
    Re: Suspicious activity on the network

    well,
    Do you have that workstation? Is the administrative access expected on it?
    Can you find out which standard user may have been logged onto that workstation at that time?

    If serviser is the DA account, it's not common - so worms/trojans wouldn't just be guessing it.. that's my theory anyway. I suspect someone is playing around.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Suspicious activity on the network

      Originally posted by tehcamel View Post
      well,
      Do you have that workstation? Is the administrative access expected on it?
      Can you find out which standard user may have been logged onto that workstation at that time?

      If serviser is the DA account, it's not common - so worms/trojans wouldn't just be guessing it.. that's my theory anyway. I suspect someone is playing around.
      Yes, I have access to all of the workstations. Administrative access is absolutely not expected on that machine. I know the user account under which the attack ocured.

      The problem is that I cannot act as a cop in the company. I am not sure what would I do in the moment I find the attacker doing an attack, I guess that I would throw him trough the window.

      Comment


      • #4
        Re: Suspicious activity on the network

        do you havbe a network access policy that you make your users view and sign ?

        if so, take your logs, and your correlating evidence to someone who CAN act as a cop, and get them to take appropriate action.

        I disagree that you shouldn't play cop - this is your network, and i'm sure part of your job is keeping it secure. Even if you just start of by reporting to your boss that you've noticed unauthorised attempts to access the administrator account.
        A good boss will usually understand, and may then ask you to investigate furher, at which point you can say "well, i can tie it to this workstation, and tie this user to that workstation at this time." This is when your network access policy comes into affect....
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Suspicious activity on the network

          Thank you for your quick answer!

          There is one more problem. User account that is used every time the attack ocures, is used by two or three persons, so I cannot tie the user account to the person. All these persons are members of a student organization that needs access to the coledge's network.

          I thought that I could create user accounts for all of them, but the problem is that my network policy states that only emplpyees can have domain accounts. Is there a solution to prevent that computer (and almost 90% of all the network computers) from contacting the SQL server? Only four computers (out of 120) need access to the SQL server.

          Thank you again.

          Comment


          • #6
            Re: Suspicious activity on the network

            you could use IPSEC policies to require encrypted communication between the relevant servers?

            You already stated yourself that you would prefer to have individual accounts for each of them, so you're already aware that this is a basic security element.
            I'd love to think of a way you could work around the requirement that only employees have accounts.

            Maybe you could limit the hours that the users can log on, or require that they specifically contact yourself to enable the account every time it is used?
            It's a hassle for yourself, and them, but at least you will know who is using it each time...
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: Suspicious activity on the network

              Firstly, i take it that's a typo in your original post and the account Serviser is NOT a domain admin and used as a generic acc.
              Can you check the workstation in question to see if there is a remote access product called iCloseup from Norton-Lambert installed?
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Suspicious activity on the network

                Hi.

                Serviser IS domain administrator.

                Comment

                Working...
                X