[THIN] Re: Trying to figure out security log settings

• From: "PETERSON, DAVID" <DPETERSO@xxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Thu, 27 Jan 2005 15:43:08 -0500

Would I even need those ports enabled at all? This system is a dedicated
Citrix server. I do have Web Interface, but the web portion is on a
different server. 

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Henry Sieff
Sent: Thursday, January 27, 2005 3:28 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Trying to figure out security log settings

Well, if its someone logging in via Citrix this line:

Logon Process:  NtLmSsp

Would be:
Logon Process:  User32  

And 
Authentication Package: NTLM

Would be:
Authentication Package: negotiate

And workstation name would be the citrix server.

In fact, given the NTLM, either:
A) you are opening NetBT from that citrix server to the world or
B) somebody from inside your network is trying to connect to resources
on
that particular server using unregistered workstations in random
domains.

I'd run a sniffer on the citrix server server looking at ports 135-137,
139,
and 445.

Henry


> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of PETERSON, DAVID
> Sent: Thursday, January 27, 2005 2:02 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Trying to figure out security log settings
> 
> I don't think so. I'm only seeing this on our Citrix server, 
> which is for remote access. The server has a different name 
> inside the network as well. One showed up as Del Rio Video, 
> but we don't have a client with that name. Another showed up 
> as ABM_Logistic, with the workstation name ABMHKRF_FTP, which 
> seems to be a shipper in Hong Kong that doesn't have a web 
> site I can find.
> 
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Schneider, Chad M
> Sent: Thursday, January 27, 2005 2:51 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Trying to figure out security log settings
> 
> Someone who set their home machine to their home network, 
> brings machine in, plugs into your network and tries to sign 
> on with home network credentials? 
> 
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of PETERSON, DAVID
> Sent: Thursday, January 27, 2005 1:48 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Trying to figure out security log settings
> 
> I'm seeing odd entries in my security logs. What is showing 
> up are login attempts to accounts that don't exist and as a 
> domain that isn't ours.
> 
> An example is this:
> Logon Failure:
> Reason: Unknown Username or password
> User Name:Christian
> Domain:AMITECH
> Logon Type 3
> Logon Process NtLmSsp
> Authentication Package NTLM
> Workstation Name: AMITECH
> 
> None of the accounts are valid, a few tried to log on as 
> administrator, but I had already renamed that account and set 
> the password to a 16 character random password. I had also 
> set RestrictAnonymous to 2.
> 
> I have problems seeing these as serious hack attempts, but 
> they are annoying me, and are a bit odd. This is a 2000 SP4 
> box. I'm current on Windows security patches.
> 
> Should I not worry about these, or is there a way to stop it? 
> I'm also interested in what causes this, if these may be 
> zombie systems, etc.
> 
> Thanks
> 
> 
> NOTICE: This electronic mail transmission from the law firm 
> of Dinsmore & Shohl may constitute an attorney-client 
> communication that is privileged at law.  It is not intended 
> for transmission to, or receipt by, any unauthorized persons. 
> If you have received this electronic mail transmission in 
> error, please delete it from your system without copying it, 
> and notify the sender by reply e-mail, so that our address 
> record can be corrected.
> 
> ********************************************************
> This Weeks Sponsor: ThinPrint, GmbH
> Now available: .print Remote Desktop Printing Engine for 
> Microsoft Terminal Services
> http://www.thinprint.com/dotprint/index.php?sh2&lc=1
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
> ********************************************************
> This Weeks Sponsor: ThinPrint, GmbH
> Now available: .print Remote Desktop Printing Engine for 
> Microsoft Terminal Services
> http://www.thinprint.com/dotprint/index.php?s=682&lc=1
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
> ********************************************************
> This Weeks Sponsor: ThinPrint, GmbH
> Now available: .print Remote Desktop Printing Engine for 
> Microsoft Terminal Services 
> http://www.thinprint.com/dotprint/index.php?sh2&lc=
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
********************************************************
This Weeks Sponsor: ThinPrint, GmbH
Now available: .print Remote Desktop Printing Engine 
for Microsoft Terminal Services
http://www.thinprint.com/dotprint/index.php?s=682&lc=1
********************************************************** 
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

********************************************************
This Weeks Sponsor: ThinPrint, GmbH
Now available: .print Remote Desktop Printing Engine
for Microsoft Terminal Services
http://www.thinprint.com/dotprint/index.php?sh2&lc=1
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts:

• » [THIN] Trying to figure out security log settings
• » [THIN] Re: Trying to figure out security log settings
• » [THIN] Re: Trying to figure out security log settings
• » [THIN] Re: Trying to figure out security log settings
• » [THIN] Re: Trying to figure out security log settings
• » [THIN] Re: Trying to figure out security log settings

1. Home
2. thin
3. Archive
4. 01-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---