Event 676 with unknown user name

[paddy8205]

One of the laptops on the network is producing Event 676 errors in the
security log. Lots of them:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 3/31/2004
Time: 12:51:04 PM
User: NT AUTHORITY\SYSTEM
Computer: EKSTERN
Description:
Authentication Ticket Request Failed:
User Name: gamroot
Supplied Realm Name: domain.COM
Service Name: krbtgt/domain.COM
Ticket Options: 0x40810010
Failure Code: 0x6
Client Address: 131.27.3.18

I know the security event is caused by a bad user name, but sometimes
hundreds of these show up from this laptop's client address within a
short period of time and I don't recognize the user names. (gamroot,
bcmack, etc.) I can verify which computer it comes from because of
the DHCP leases. I've checked for viruses and spyware and came up
with nothing. At first I thought they might be letting someone else
use their computer while at home and VPN'd in but I got the same
events yesterday when they were in the office logged into the network.
Does anyone have any idea what else I can look for or use to track
down what is happening?

Thanks.

 

[Steven L Umbach]

Is ekstern the name of his laptop? I ask because a dhcp lease may not be proof that
is the computer causing the logon failures if the attacking computer is using a
static address. If you ping 131.27.3.18 -a does it show ekstern as the name when it
is on the network. Try using Process Explorer and TcpView from Sysinternals to see if
you can find any strange processes running on that laptop, Autoruns to look for
strange startup programs, and install Sygate personal firewall [free to try] on it
and disable the firewall, but use it as a logging tool to view the logs to see if you
can match up events in that log to the failed logons by time. You want to prove that
these attempts are coming from this laptop or not and then proceed from there. ---
Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

 

[paddy8205]

Thanks for your advice. I did an ipconfig /all on the laptop to make
sure it was the source of the attacks, which it was. I found a
process running on the laptop called conf32.exe. This file is part of
some kazaa virus but there were no other signs of the virus, just this
one process, and Norton anti-virus never picked it up. I killed the
process, deleted the file, and searched the registry to get rid of any
instances of it. Problem is gone now. (By the way, user is running
Win2k.)

Thanks again.

Is ekstern the name of his laptop? I ask because a dhcp lease may not be proof that
is the computer causing the logon failures if the attacking computer is using a
static address. If you ping 131.27.3.18 -a does it show ekstern as the name when it
is on the network. Try using Process Explorer and TcpView from Sysinternals to see if
you can find any strange processes running on that laptop, Autoruns to look for
strange startup programs, and install Sygate personal firewall [free to try] on it
and disable the firewall, but use it as a logging tool to view the logs to see if you
can match up events in that log to the failed logons by time. You want to prove that
these attempts are coming from this laptop or not and then proceed from there. ---
Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

One of the laptops on the network is producing Event 676 errors in the
security log. Lots of them:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 3/31/2004
Time: 12:51:04 PM
User: NT AUTHORITY\SYSTEM
Computer: EKSTERN
Description:
Authentication Ticket Request Failed:
User Name: gamroot
Supplied Realm Name: domain.COM
Service Name: krbtgt/domain.COM
Ticket Options: 0x40810010
Failure Code: 0x6
Client Address: 131.27.3.18

I know the security event is caused by a bad user name, but sometimes
hundreds of these show up from this laptop's client address within a
short period of time and I don't recognize the user names. (gamroot,
bcmack, etc.) I can verify which computer it comes from because of
the DHCP leases. I've checked for viruses and spyware and came up
with nothing. At first I thought they might be letting someone else
use their computer while at home and VPN'd in but I got the same
events yesterday when they were in the office logged into the network.
Does anyone have any idea what else I can look for or use to track
down what is happening?

Thanks.

 

[Steven L Umbach]

Good work! Kinda scary that Norton did not pick it up. Thanks for posting back what
you found and how you fixed it. --- Steve

Thanks for your advice. I did an ipconfig /all on the laptop to make
sure it was the source of the attacks, which it was. I found a
process running on the laptop called conf32.exe. This file is part of
some kazaa virus but there were no other signs of the virus, just this
one process, and Norton anti-virus never picked it up. I killed the
process, deleted the file, and searched the registry to get rid of any
instances of it. Problem is gone now. (By the way, user is running
Win2k.)

Thanks again.







"Steven L Umbach" <[email protected]> wrote in message

Is ekstern the name of his laptop? I ask because a dhcp lease may not be proof that
is the computer causing the logon failures if the attacking computer is using a
static address. If you ping 131.27.3.18 -a does it show ekstern as the name when it
is on the network. Try using Process Explorer and TcpView from Sysinternals to see if
you can find any strange processes running on that laptop, Autoruns to look for
strange startup programs, and install Sygate personal firewall [free to try] on it
and disable the firewall, but use it as a logging tool to view the logs to see if you
can match up events in that log to the failed logons by time. You want to prove that
these attempts are coming from this laptop or not and then proceed from there. ---
Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

One of the laptops on the network is producing Event 676 errors in the
security log. Lots of them:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 3/31/2004
Time: 12:51:04 PM
User: NT AUTHORITY\SYSTEM
Computer: EKSTERN
Description:
Authentication Ticket Request Failed:
User Name: gamroot
Supplied Realm Name: domain.COM
Service Name: krbtgt/domain.COM
Ticket Options: 0x40810010
Failure Code: 0x6
Client Address: 131.27.3.18

I know the security event is caused by a bad user name, but sometimes
hundreds of these show up from this laptop's client address within a
short period of time and I don't recognize the user names. (gamroot,
bcmack, etc.) I can verify which computer it comes from because of
the DHCP leases. I've checked for viruses and spyware and came up
with nothing. At first I thought they might be letting someone else
use their computer while at home and VPN'd in but I got the same
events yesterday when they were in the office logged into the network.
Does anyone have any idea what else I can look for or use to track
down what is happening?

Thanks.