Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Am I been Attacked? 2

Status
Not open for further replies.
deperado

deperado

IS-IT--Management
Jan 30, 2004
2
GB
I am the administrator of a 300 desktop Windows network, i have implemented account policies that lockout accounts after "3" incorrect passwords.

Recently i have had 30 - 40 accounts being locked out in just a few days, this to me looks suspicious and require some assistance on how to find out what is causing this to happen.

Having looked in the event viewer i can see ramdom user accounts are being locked as a result of the policy and having spoken to the users, they say they havent entered the passwords incorrectly.

This is what makes me believe that there may be someone running a piece of account password software.

How can i find which pc if any is responsible?

Any help would be appreciated.
 
Sort by date Sort by votes
Assuming someone isn't deliberately walking around the office typing in passwords just to lock people out, you could use a network monitoring tool to watch traffic on the network.

This is the tool I use for watching local traffic

With 300 machines, you're going to generate a lot of traffic. Ethereal can filter what it records according to all sorts of rules, so my suggestion would be to record a network login attempts (good and bad?) and set up a filter which matches that.

Once your filter is set, you should be able to spot login attempts.
Since the event log and ethereal timestamp data, you should be able to match up events in one with events in the other.

--
 
Upvote 0 Downvote
Would Ethereal be comparable to Sniffer in terms of functionality?
 
Upvote 0 Downvote
thanks for your help, i ran spybot on all the machines that were locking out and found one without Sophos on it, loaded sophos and it found a trojan/spyagen.c had effected ntinvisble file, shredded file but cant find any lit on this trojan, not even on sophos site, any ideas what it is?

Your help is appreciated.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
237
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
287
Johnkite
Johnkite
MrPB
  • Locked
  • Question
Am I being hacked/spied on?
Replies
7
Views
130
kjv1611
kjv1611
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
233
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top