Password cracker?



FSnopes
07-09-2005, 10:52 PM
I think (and am afraid) I know the answer to this question already, but I'd
like confirmation: On two Win2000 servers (not in a domain), I am getting a
stream of failed logon attempts from a single workstation using a single
username. The attempts come at intervals of 12, then 11 seconds over periods
of up to two hours. This user has an unprivileged account on one server, but
no account on the other server. Should I be relatively certain that this
activity is caused by a password cracker, or could there be some other
explanation?

Mark Randall
07-09-2005, 10:52 PM
That, or someones holding the return key down....

--
- Mark Randall
http://zetech.swehli.com

"FSnopes" <FSnopes@discussions.microsoft.com> wrote in message
news:F1AB387E-0116-42DE-92FB-53BD3466910A@microsoft.com...
>I think (and am afraid) I know the answer to this question already, but I'd
> like confirmation: On two Win2000 servers (not in a domain), I am getting
> a
> stream of failed logon attempts from a single workstation using a single
> username. The attempts come at intervals of 12, then 11 seconds over
> periods
> of up to two hours. This user has an unprivileged account on one server,
> but
> no account on the other server. Should I be relatively certain that this
> activity is caused by a password cracker, or could there be some other
> explanation?

S. Pidgorny
07-09-2005, 10:52 PM
May be not brute forcing. In our environments we still widely use password
lockout - it often is caused by old drive mappings, after password has
changed. Identify the process doing that - that helps.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"FSnopes" <FSnopes@discussions.microsoft.com> wrote in message
news:F1AB387E-0116-42DE-92FB-53BD3466910A@microsoft.com...
> I think (and am afraid) I know the answer to this question already, but
I'd
> like confirmation: On two Win2000 servers (not in a domain), I am getting
a
> stream of failed logon attempts from a single workstation using a single
> username. The attempts come at intervals of 12, then 11 seconds over
periods
> of up to two hours. This user has an unprivileged account on one server,
but
> no account on the other server. Should I be relatively certain that this
> activity is caused by a password cracker, or could there be some other
> explanation?

FSnopes
07-09-2005, 10:52 PM
Logon process: NtLmSsp
Logon type: 3
Authentication Package: NTLM

Thanks...

"S. Pidgorny <MVP>" wrote:

> May be not brute forcing. In our environments we still widely use password
> lockout - it often is caused by old drive mappings, after password has
> changed. Identify the process doing that - that helps.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "FSnopes" <FSnopes@discussions.microsoft.com> wrote in message
> news:F1AB387E-0116-42DE-92FB-53BD3466910A@microsoft.com...
> > I think (and am afraid) I know the answer to this question already, but
> I'd
> > like confirmation: On two Win2000 servers (not in a domain), I am getting
> a
> > stream of failed logon attempts from a single workstation using a single
> > username. The attempts come at intervals of 12, then 11 seconds over
> periods
> > of up to two hours. This user has an unprivileged account on one server,
> but
> > no account on the other server. Should I be relatively certain that this
> > activity is caused by a password cracker, or could there be some other
> > explanation?
>
>
>


Password cracker?