Event viewer security log entry suspicious

[cheezwiz]

Here's two excerpted entries
10/20/00 11:13:21 PM
Logon Failure: Reason Unknown user name or bad password
User Name: administrator
Domain: WORKSTATION 1
Workstation name: \\workstation 1

10/20/00 11:13:32 PM
Logon Failure: Reason Unknown user name or bad password
User Name: WORKSTATION 1$
Domain: MYDOMAINNAME
Workstation name: \\workstation 1
(MYDOMAINNAME represents my real domain name which I don't want to advertise)

The administrator account has been renamed, so this is definitely not a legitimate attempt to login. Is there a way to figure out where \\workstation 1 is?

Thanks for any comments or advice!

 

[theripper]

cheezwiz -

If you have a handful of users, you can go to each workstation and look under Network Neighborhood-->Properties-->Indentification and you'll see the the PC's name (ie workstation 1) and the computer description.

However, if you have more than a few users, visiting each workstation won't be efficient. Are you running DHCP server, or WINS? You may be able to trace them down that way.

Good Luck ~