Logon Process contains garbled characters

[Guest]

This is a strange message in my DC's Security log:
I have looked all over for a similar output in the Logon Process, but have
found nothing relevant.
Any input would be greatly appreciated.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 5/3/2006
Time: 10:42:47 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: An unexpected error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: H1øwÿÿÿÿ
Authentication Package: NTLM
Workstation Name:

 

[Steven L Umbach]

That is weird Joe. I have never seen anything like that. I don't know what
to suggest offhand. Are you seeing a lot of those?? --- Steve

 

[Guest]

There are only two additional 537 failures with the garbled characters in the
last 24 hours.
However, there are more than thirty of these Kerberos errors:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 5/4/2006
Time: 7:59:08 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: An unexpected error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -

Other clues, when I export the logs using Eventcomb, I see this:
537 AUDIT FAILURE Security Thu May 04 02:42:58 2006 NT
AUTHORITY\SYSTEM Logon Failure: Reason: An error occurred during logon
User Name: Domain: Logon Type: 3 Logon Process: Kerberos
Authentication Package: Kerberos Workstation Name: - Status code:
(null) Substatus code: (null)

I am not sure if the (null) represents a null session attempt/request.

Also, these seem to ocurr in batches, the most recent ones happened at:
7:59:08
7:59:22
7:59:25
7:59:26
7:59:28

At this point, I consider this server, "compromised."

Can you provide any other tools / scripts to confirm or deny this is the
case.

Thank you in advance,

 

[Steven L Umbach]

I would not consider the server compromised because they are logon failures.
Generally a hack attack will involve several attempts to logon as the
administrator account in rapid succession. Do any of these events show a
username or workstation name as that can be helpful in determining what is
going on? I really would not worry that much based just on the events you
mention. It is not unusual to see some failed logon attempts for a variety
of reasons which could include a Scheduled Task or mapped drive using old
credentials. Type 3 logons are network logons which means that some
user/computer was trying to probably access a share on that computer or do
some task through SMB connectivity. As far as the three events with the
weird characters maybe there was some sort of corruption involved in the
security log when those events were written. If you have not seen the link
below it may be helpful.

http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx

To further look into if the server has been compromised I would be sure to
check users and groups on it to see if anything has been changed,
particularly membership in any privileged groups such as administrators
group and then check the computer for any unauthorized processes that may be
running and are in startup. I would also make sure that auditing of account
management and policy change are enabled as they can help show if a computer
has been compromised as evidenced by unexplained changes to user rights,
auditing, and user/group management. Of course routine malware scans should
be done with the latest definitions for any product used. SysInternals has
some free and very helpful utilities that can help you in checking your
computer including Process Explorer, Autoruns, Sigcheck, Tdimon, TCPView,
and RootKit Revealer.

http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer and link to SysInternals
http://www.microsoft.com/technet/security/topics/serversecurity/avdind_4.mspx
--- good info from Antvirus in Depth Guide on tips to check your computer
for compromise.

 

[John John]

Something here might help?:

http://www.eventid.net/display.asp?eventid=537&eventno=194&source=Security&phase=1

John

 

[Zoned]

John John,

try some of the software from www.antirootkit.com

There are a few new rootkit revealers,

regards

Zoned

 

[John John]

??? What makes you think that I need to run a rootkit revealer on my end?

John