What is VPNz?

G

Guest

I'm investigating a hacking attempt on our Windows 2003 server. We had 56
bad attempts to guess a user's password. Below is the detail of the attempt
with the identifiable information removed:

Logon Failure:
Reason: Unknown user name or bad password
User Name: (e-mail address removed)
Domain: OUR_DOMAIN
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: AUB04
Caller User Name: OUR_SERVER$
Caller Domain: OUR_DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 8224
Transited Services: -
Source Network Address: XXX.XXX.XXX.XXX
Source Port: 1224

Looking up port 1224, it appears to be something called VPNz... what is VPNz
and what should I do about it? The password has already been changed.

Thanks,
Dan
 
D

Danny Sanders

Sounds like someone is using a script to try to log onto your servers using
a clear text password.
They were denied.

Be wary of a logon type 8 that succeeds.

Is the username a good username on your domain?
If so, how did they get it, if it is a hack?
If it is good, check with the user to see if they have some sort of script
running with their username and (a bad) password that would cause this.
Maybe they changed their password on the domain but not in the script.


hth
DDS
 
G

Guest

Big reason I'm worried is because the account did end up getting
authentication on that port. The owner of the account isn't technical enough
to write a script, so that wouldn't be it.
 
S

Steven L Umbach

Source port would be a random port. My guess is you looked up what port 1224
could be used as a destination or "server" port. Since it looks like you
know the workstation name I would take a close look at what is going on with
that computer [malware, expired credentials used for process, etc] and
possibly users using it during that time frame.

Steve
 
G

Guest

I think the IP address may be the user's home computer. I was thinking that
VPNz was the issue (based on the port). Makes sense now. I've already asked
her to scan her home computer.

Thanks,
Dan

Steven L Umbach said:
Source port would be a random port. My guess is you looked up what port 1224
could be used as a destination or "server" port. Since it looks like you
know the workstation name I would take a close look at what is going on with
that computer [malware, expired credentials used for process, etc] and
possibly users using it during that time frame.

Steve


Dan Getz said:
I'm investigating a hacking attempt on our Windows 2003 server. We had 56
bad attempts to guess a user's password. Below is the detail of the
attempt
with the identifiable information removed:

Logon Failure:
Reason: Unknown user name or bad password
User Name: (e-mail address removed)
Domain: OUR_DOMAIN
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: AUB04
Caller User Name: OUR_SERVER$
Caller Domain: OUR_DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 8224
Transited Services: -
Source Network Address: XXX.XXX.XXX.XXX
Source Port: 1224

Looking up port 1224, it appears to be something called VPNz... what is
VPNz
and what should I do about it? The password has already been changed.

Thanks,
Dan
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Iusr account getting locked out 3
Please help me in resolving the logon type 2 1
537 errors due to manual services being started 0
Windows XP logon failure 3
Unknown user..? 1
Logon failure with status code 0xC00002EE 1
Failed Logon Events [Event ID 4625; Logon Type 8; Procss Name: w3wp; Process: Advapi] 1
Logon/Logoff Failure Audit - Event 537 in Windows Server 2003 3

Top