Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Mystery logon through localhost

Status
Not open for further replies.
rcr484

rcr484

IS-IT--Management
May 21, 2003
4
0
0
US
I'm stumped with an issue on a webserver. This is Win2000 Std Server that acts as our internal webserver and also serves as our antivirus distribution server.

We started receiving failed logons from our security log last week. The logon indicates the user was connecting through the localhost. There are entries for both success and failure for the logon. But the logon doesn't appear to start any processes or services. Indeed, it looks like all it's doing is opening a folder, like it's a local session with the folder left open. In reality, there's no local logon, neither locally nor from network. If I allow the user, and the user ID is my other network admin, to logon as a service, the security log no longer logs a failure but instead a success.

There are lots of logon and logoffs, but in essence the only result I see is this odd open folder.

Any rough ideas on how I can track down the session? I've cross-checked all processes and services with no success. Also, every suspect process I've halted has had no effect on the mystery session. It doesn't appear to have any effect on the server, but it's just bugging the hell out of me.
 
Sort by date Sort by votes
try running hijack this its free ware then post your findings on security hacker detection, forensic forum, they can then decipher the read out and tell you what to do.

good luck

bob

Jones' Law
The man who can smile when things go wrong has thought of someone he can blame it on.
 
Upvote 0 Downvote
Honestly, I don't believe it's anything like that. This appears to be a process kicked off with the use of my co-admin's ID, probably the result of a recent installation. My problem lies in deciphering how the event is kicked off and why his ID is still being used to start it.

Of note is the fact that while the admin ID is used, the process or service itself is run by the system, even though there is no listing under services or processes for the occurrance. And when the session is killed, it reappears within minutes, just like a service restart. I've combed through every service and every running process with no luck so far.

I guess what I'm trying to say is that I need to track down a process in Windows that's neither listed as a process nor a service. Capiche?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100
DrB0b
  • Locked
  • Question
RDWeb server getting hit with odd logon requests....
Replies
1
Views
70
DrB0b
DrB0b
techbrain1
  • Locked
  • Question
No connection to internet through wireless connection
Replies
1
Views
44
kjv1611
kjv1611
Leozack
  • Locked
  • Question
LOGON SPEED : GPO settings vs script reg import etc
Replies
3
Views
62
Leozack
Leozack
jrjetta1
  • Locked
  • Question
Failed logon script
Replies
0
Views
27
jrjetta1
jrjetta1

Part and Inventory Search

Sponsor

Back
Top