Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 192.168.1.125 (FTP server, in-house - "domestic and global bonseop sseuim for updates)
- Today in the remote access server, after seeing the 125 computers inside 192.168.1.124, 192.168.1.121 remote connected floated on the screen.
- Leave their computers inside gutyi seobeotim step 125 to another server, if remote access was considered very rare,
- Start - "Run from the menu of recently used commands I tried.
- During the following command on the remote access was attempted.
- Mstsc / v Nikkiluv
- Mstsc / v Newcosmo (124)
- Mstsc
- \ \ nikkiluv
- Mstsc / v kaloffice
- Mstsc / v 121.189.63.190
- (IDC lek configuration not only written documents, but the back seat of an internal IP internal IP and I think the mail server.)
- Mstsc / v Kal-comm (121)
- Mstsc / v Fkz3c33c9ueodxa
- Management tool - "a very unusual event viewer event ID: 528 while the remaining ones were the following ones.
- 2009-10-26 03:39:25, (Monday morning)
- Successful Logon:
- User Name: kal
- Domain: COSMO
- Logon ID: (0x0, 0x16571DFF)
- Logon Type: 10
- Logon Process: User32
- Authentication Package: Negotiate
- Workstation Name: COSMO
- Logon GUID: --
- Caller User Name: COSMO $
- Caller Domain: WORKGROUP
- Caller Logon ID: (0x0, 0x3E7)
- Caller Process ID: 3380
- Transited Services: --
- Source Network Address: 206.217.202.226
- Source Port: 2799
- For more information on Help and Support Center at http://go.microsoft.com/fwlink/events.asp see.
- 2009-10-24 09:34:54 (Saturday)
- Successful Logon:
- User Name: kal
- Domain: COSMO
- Logon ID: (0x0, 0x15792451)
- Logon Type: 10
- Logon Process: User32
- Authentication Package: Negotiate
- Workstation Name: COSMO
- Logon GUID: --
- Caller User Name: COSMO $
- Caller Domain: WORKGROUP
- Caller Logon ID: (0x0, 0x3E7)
- Caller Process ID: 2612
- Transited Services: --
- Source Network Address: 206.217.202.226
- Source Port: 2815
- For more information on Help and Support Center at http://go.microsoft.com/fwlink/events.asp see.
- http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows% 20Operating% 20System & ProdVer = 5.0 & EvtID = 528 & EvtSrc = Security & LCID = 1033
- According to the site 528 times, event ID as the login is successful, when the leaves are listed. Intentionally to test the connection I have been erroneously password
- Event ID is the wrong password when you stay 529 times, 528 times, when successful, to go.
- So anyone successfully logged in, broken 528 times, I think the rest of the event came from a foreign IP .. Outsiders are suspect approached.
- * 1 line summary: 125 times the computer in the Event Viewer event ID 528 was to step out of the rest in foreign IP that is suspected.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement