CCIHelpdesk
Thu Sep 06 12:40:03 PDT 2007
J Wolfgang Goerlich,
That may be the culprit... if it is the "guest" service of UltraVnc.....
then that maybe it.
I launched the TCPViewer - "locked" the account - closed VNC - then went
back in...
Logged back in........I saw the "isduia" attempt followed by my login.
Even though I logged in with a valid account I still got the following
"failure audits" in the Security Event Log:
Logon Failure:
Reason: Unknown user name or bad password
User Name: isdiua
Domain: CCI-USA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PA-GRAPEFRUIT
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: PA-GRAPEFRUIT
failed. The error code was: 3221225
and the ...
Logon Failure:
Reason: Unknown user name or bad password
User Name: boris
Domain: PA-GRAPEFRUIT
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: PA-CITRIX02
Maybe it is the VNC?
Any thoughts?
Thanks - CCI Helpdesk
"jwgoerlich@gmail.com" wrote:
> If I recall correctly, UltraVNC tests to see if the Guest user is
> enabled by logging on as "isdiua". This user account does not exist,
> of course, and hence the "Unknown user name" failure. When Guest is
> enabled, the isdiua will login with guest access (even though the
> account does not exist).
>
> So, my guess is someone is attempting to login over Vnc with the
> Helpdesk account. UltraVNC first tries guest access, which fails, and
> then tries explicit Helpdesk credentials.
>
> If this happens regularly, then you could use TCPView. Run it on the
> Citrix server and watch which TCP connections open at the time the
> event occurs. Watch to see which IP address is attempting the Vnc
> connection.
>
> Regards,
>
> J Wolfgang Goerlich
>
>
> TCPView for Windows v2.4
>
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
>
> On Sep 6, 1:02 pm, CCI Helpdesk
> <CCIHelpd...@discussions.microsoft.com> wrote:
> > JWG,
> >
> > Yes, we have UltraVNC installed.
> >
> > CCI
> >
> >
> >
> > "jwgoerl...@gmail.com" wrote:
> > > That is strange. Is Vnc installed on this Citrix server, by chance?
> >
> > > J Wolfgang Goerlich
> >
> > > On Sep 6, 11:20 am, CCI Helpdesk
> > > <CCIHelpd...@discussions.microsoft.com> wrote:
> > > > Roger,
> >
> > > > Thanks - this is a Citrix Server - we do not have an account "isdiua" in our
> > > > domain by that name.
> >
> > > > Unless it is some acronym for a Microsoft service?
> >
> > > > It is like we are "hit" with that login as an initial login attempt for a
> > > > non-account then attempting to user our Helpdesk account to login. After that
> > > > the next entry shows the Helpdesk account has been locked out. It looks like
> > > > we are being probed with some password attack agent - is there a way to
> > > > detect that?
> >
> > > > We are trying to figure out how the "vermin" are attempting to use the
> > > > single logon NTLM authentication to gain access.
> >
> > > > Thanks
> > > > CCI Helpdesk
> >
> > > > "CCI Helpdesk" wrote:
> > > > > Folks,
> >
> > > > > We are seeing this entry in the Security log of our event viewer on one of
> > > > > our servers.
> >
> > > > > It is usually followed by a failed attempt to login with a standard user
> > > > > account.
> > > > > The account usually gets "locked out"
> >
> > > > > This is what we see prior to the "lock out"
> >
> > > > > Logon Failure:
> > > > > Reason: Unknown user name or bad password
> > > > > User Name: isdiua
> > > > > Domain: CCI-USA
> > > > > Logon Type: 3
> > > > > Logon Process: NtLmSsp
> > > > > Authentication Package: NTLM
> >
> > > > > Has anyone see this before? Is someone piggybacking on someone's login the
> > > > > network from a remote computer?
> >
> > > > > Please advise.
> >
> > > > > CCI Helpdesk.- Hide quoted text -
> >
> > > > - Show quoted text -- Hide quoted text -
> >
> > - Show quoted text -
>
>
>