|
Posted by Steven L Umbach on December 23, 2005, 12:52 pm
Please log in for more thread options Any time you see failed logons for the administrator account that can be
reason for concern. Type 10 logon is an attempt via Remote Desktop. If it
shows the source computer that may help in trying to track down what is
going on. Usually hack attempts will show many failed logons in rapid
succession. As far as changing printer properties see if a user name is
shown. --- Steve
http://www.windowsecurity.com/articles/Logon-Types.html --- explanation of
logon types.
>I have been receiving the following strange entries in the Security and
> System logs.
>
> Look to me like hacks or attempted hacks. Any comments?
>
> I've ommited details for security reasons.
>
> 1st Entry: Always 4 attempts at log-ins.
>
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: <omitted>
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: <omitted>
> Caller User Name: <omitted>$
> Caller Domain: <omitted>
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 5840
> Transited Services: -
> Source Network Address: 12.36.212.13
> Source Port: <omitted>
>
> The second entry appears in the System log and relate to printing. I know
> for certain there was no printing activity for normal users on the network
> at
> this time.
>
> Event Type: Information
> Event Source: Print
> Event Category: None
> Event ID: 42
> Date: 19/12/2005
> Time: 16:21:03
> User: NT AUTHORITY\SYSTEM
> Computer: <omited>
> Description:
> Printer Colour on reswks1 (from NAZGUL) in session 1 was successfully
> unpublished.
>
> There are a whole series of these entries in the system log over several
> days relating to clearing the printing queue and changing printer
> properties
> --
> Al
| 
XML Sitemap