Multiples Logins for the same User

[prpnovaes]

Seeing the event viewer's security log i became confuse. There are a lot of events(eventid's 528 and 529) at the same time, for the same NT Domain USER, in diferents stations located in diferents places.

It seems that the same user is trying to login in diferents stations at the same time. As I am sure that the user isn´t doing this, i need to know what can be happening.

Environment's details:

PDC/BDC......: NT Server 4.0 sp6, Wins, Computer Browser service,LanManServer,Messenger,RPCLocator,RPCService,
Tcp/ip open ports = 42/Wins,53/DNS,135/EPmap,139/NetBios)

Workstations.: Win98, Workstation Service, Messenger Service, File Server Service Netbios Session Service
(Tcp/ip open ports = 139), B_Node Hibrid

Could you help-me?

 

[djhawthorn]

Event 528 is a sucessful logon, 529 a bad username/password...

In the event log, it should have a logon type, being one of the following

Type 2 : Console logon - interactive from the computer console
Type 3 : Network logon - network mapping (net use/net view)
Type 4 : Batch logon - scheduler
Type 5 : Service logon - service uses an account
Type 7 : Unlock Workstation

If you find out what type it is, it may help explain what is going on. MCSE NT4/W2K

 

[prpnovaes]

Excuse-me Dhawthorn but I can't understand what is happening. There are a lot of events in event viewer's security log (ID 528, Type 3: Network logon) at the same time, for the same NT Domain USER, in diferents stations located in diferents places. It seems that the same user is trying to login in diferents stations at the same time. I am sure that the user isn´t doing this, and there aren't any folder shared in these stations for the user, although some stations, but no all, have local printer shared. All the stations and Domain Controlers Servers has Virus Protection (CA InoculateIT 4.53) always bring up to date. Have you had any other idea about? Could you help-me again? Thanks a lot.

 

[djhawthorn]

Do you have a login script or something that might be running a

net use \\server\ipc$ /user:USER

command? MCSE NT4/W2K

 

[prpnovaes]

Yes, there are various logon's scripts depending on the user access profile. Each user group has a specific logon's script. These scripts map network's drivers in the File Server for the users and start the execution of others batch files that call the Anti-Virus instalation and
map general network's drivers.

Example:

:: ALMOX.BAT -Batch file for users of the ALMOX Department::

@echo off
net use x: \\TCE_S001\netlogon > nul
call x:\geral %1 %2 %3
net use h: \\TCE_S001\ALMOX %useopt% > nul
net use x: /DELETE > NUL

------------------------------------------------------------

:: GERAL.BAT - Batch file for all users (all the groups) ::

@echo off
echo Aguarde Conexao das Unidades de Rede ...
if x%OS%==xWindows_NT goto NT
if not "%WINBOOTDIR%"=="" goto W95
set useopt=/YES
goto cont
:W95
set useopt=/YES
net time \\TCE_S001 /SET /YES > NUL
goto cont
:NT
set useopt=/PERSISTENT:NO
:cont
net use F: \\TCE_S001\APLIC$ %useopt% > NUL
if not x%OS%==xWindows_NT net use G: /HOME > NUL
net use I: \\TCE_S001\comum %useopt% > NUL
net use j: \\TCE_S001\Desenv$ %useopt% > nul
if not exist j:\riges\nul net use j: /DELETE > nul
echo ******************************************** 06/10/2000 *
if not "%1"=="" net use * \\tce_S001\%1 %useopt% > nul
if not "%2"=="" net use * \\tce_S001\%2 %useopt% > nul
if not "%3"=="" net use * \\tce_S001\%3 %useopt% > nul
echo *********************************************************
Call x:\CHEY

------------------------------------------------------------

:: CHEY.BAT - To Install W9x Anti-Virus InoculateIT

@echo off
REM ***** Carga da atualização automática do Anti-Vírus InocuLAN
if "%OS%"=="Windows_NT" goto SKIP
if NOT "%WINBOOTDIR%"=="" goto 98
:98
\\TCE_S001\cheyupd$\avupdate.exe
:SKIP

 

[prpnovaes]

If you give-me your e-maill address i can send to you more details about the events reported.

Thanks a lot

 

[djhawthorn]

Have you got auditing turned on?
If you do, it would explain why the events are appearing.

As I said before, event 529 is a bad username/password. So chances are that person's login script is trying to connect them to a share that they don't have access to, and thus the event log message. MCSE NT4/W2K

 

[prpnovaes]

hello dhawthorn,

I need to correct my first question. when i told about events 528 and 529 I really want to talk about events 528(user logon) and 538(user logof).

I can see in the event viewer's security logs many pairs of 528/538 events for the same user coming from various stations. I can to affirm that the related user is trying to logon in only one station and i can't understand how
i can see in the security log several pairs of events 528/538 in different stations for him at the same time. This problem occurs with other users that is trying to logon in the same station too. But when the related user trying to logon in the other station, the problem isn't occur.

 

[djhawthorn]

Do you have services or something that might be logging on as a specific user?

Do you have a net use that is using a specific user account? MCSE NT4/W2K

 

[prpnovaes]

NO. I've only in the PDC (that is File Server too) two services that use specifics user accounts to auto-start.
they are ArcServer and InoculateIT that stay running all the time. The user account used to logon these services are specifics and unique. Nobody is trying to logon at the server from an specific station using these user accounts.
The reported problem ocurrs with other user accounts that isn't services user accounts.

In add, is important to say that there aren't any services running in the stations using user accounts to auto-start.

Thanks for your help.

 

[djhawthorn]

No Scheduled Tasks?

I am running out of ideas as to what may be causing it I'm afraid to say... MCSE NT4/W2K

 

[PeteH2]

Seeing as only software can log on from many W/stations simultaneoulsy, this is not likely to be a human created error, but a software one.

Some Anti Virus softare has the ability to run as a service or as a high level user in the background. What I suspect is happening here is the AV software is attempting to log on to the central AV server to get it's update, but failing.

If you compare the AV log, does it show the times that the updates were due ?
Does it show that they were successful or that they failed ?
Do the times in the AV log match the one isn Event viewer ?

HTH

Pete H

 

[prpnovaes]

Hi dhawthorn and PeteH2, congratulations.

dhawthorn, There aren't any Scheduled tasks at the station, but during the logon's process the winpopup program is started by a batch file script. I can't imagine what means
"I'm afraid to say..."

PeteH2, as i've said early, the AV software (InoculateIT/cheyenne) is updated in the stations w9x during the logon's process by a batch file script. At this time the update is copied from the server update directory and the AV is started at the station.

Any other ideas to help me?

 

[PeteH2]

What happens if you add a freshly built workstation *without?* the AV softwre to the network, remove the AV update from the login script and login to that PC ?

 

[prpnovaes]

Hello PeteH2,

I made what you he suggested. I removed of script of logon the call for the programs AVupdate and WinPopUp. I removed of registry the automatic detonation, when of logon, for the programs AVrealmon and AVscan. The tests had been made in a station with operational system WinME. Only that the problem continued happening. In log of security of the PDC some events 528 for the same user login can be seen come of different machines in the same instant of time. Registry(regedit) of the station was searched and no reference for the names of the machines was not found that the user supposedly is using to have access the network. The fact is that the user is having access the network from an only station but in log of events they appear some inputs as if it was making the same thing from several other stations in the same instant of time.

Any other Idea?

 

[PeteH2]

Is it always the same user that is seen in event viewer ?
Does this user exist in User Manager ?
What happens if you delete the User from User Manager, wait 2 hours then recreate them ?
How often does the Anti-virus software receive NEW vaccine files from the manufacturer ?
Is the version of the AV software dated November 2002 ? (it should be!!)

Pete H

 

[prpnovaes]

Hello PeteH2,

Not. I can observe that all the user who has access the network by the station (name: cci_2009 , OS: WindowsME) will occur in log of security of the PDC many times. Accessing the network from other stations in the same instant of time.

I removed the user and two hours later I registered in the domain it again. The user make an access to the network from the same station (cci_2009). Several events 528 appear in the PDC's security log as if the user is trying to make access the network from the same other stations. All in the same time.

The AntiVirus almost that daily receives update from vaccines . The AntiVirus installed in the network is the InoculateIT version: 4.53, build number:619, Engine version: 40,00. Signature version 40.13. And the last update occurred in 04/11/2002.

there isn't any tasks schedule by the WinME's "Task-Scheduler" at the station(cci_2009). I'm thinking about recreating this station of the network with another name to see if the problem will continue to exist. reinstall the operational system can be the solution but there's a big problem. There are many stations with identical situation.

Do you have any idea of some suspect program (worm, virus, trojans) that could cause the same effect?

Can it be an attempt of attack ("deny service&quot against the PDC since an only event of logon (528) is generating several other events (528 and 538)?

Can it be an attempt of attack ( " User-Station-spoofing " ) against the PDC since some inputs of events(528) appear in the security log relating to attempt to have access the network from some different stations at the same moment for the same user?

Since already, thank you.

 

[PeteH2]

OK, Lets clarify a couple of things.

When you deleted the user account from User manager and waited two hours, did the error occur during that two hours ?

Although you have AV software installed, I'm beginning to doubt whether it has been configured correctly. As the problem certainly seems to be virus based in its appearance in the fact that it wishes to constantly propogate.

Here are some virus definitions. Check them and see if they match. These definitions are from the Sophos web site and may cover isntructions for the Sophs AV software.

http://www.sophos.com/virusinfo/analyses/w32opaservf.html

http://www.sophos.com/virusinfo/analyses/w32merkura.html

http://www.sophos.com/virusinfo/analyses/trojnethiefc.html

I would continue to rebuild that workstation and try it with a fresh build, just to see what happens. But, if I suspect correctly, this will make no difference

HTH

Pete H

 

[prpnovaes]

Hi PeteH2,

Not. The error did not occur during that two hours.

I want to add that when the access to the network for the user is allowed only from station CCI_2009 other inputs (EventID: 528/538) from other stations for the same user in Security log do not appear.

Still I did not conclude the checagem of virus indicated for all the stations. Until the moment none of them was detected in the analyzed stations.

I am waiting the conclusion of the check of virus, to try to see what he happens with a fresh build,of the station CCI_2009.

Thanks a lot.