Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jack Lyons (jack.lyonsMARTINAGENCY.COM)
Date: Mon May 07 2001 - 11:44:04 CDT
Check the computer Browser Service Properties. If there is anything that is
listed, then try removing them one at a time and see if that helps.
From: DE VILLIERS IAN [mailto:ian.devilliersBMW.CO.ZA]
Sent: Monday, May 07, 2001 6:30 AM
Subject: Weird happenings
I write this e-mail as I am rather concerned with some strange occurrences
at one of our remote sites.
The breakdown is more-or-less as follows.
Our BDC at our remote site has on occasion been some how knocked off the
network. Trying to open shares from other machines will come up with a
network error: "The network name cannot be found". These shares do exist
and when trying to open any shares from the server in question, an error
message will appear stating "MACHINE NAME There is a duplicate name on the
network". Doing an nbtstat -A on the machine's IP address will show
NetBIOS Remote Machine Name Table
Name Type Status
MACHINE <00>UNIQUE Conflict
DOMAIN <00>GROUP Registered
DOMAIN <1C>GROUP Registered
MACHINE <20>UNIQUE Conflict
DOMAIN <1E>GROUP Registered
MACHINE <03>UNIQUE Conflict
MLI_GROUP_BRAD <42> GROUP Registered
MLIA199E071BRAD<42> UNIQUE Registered
MAC Address = XX-XX-XX-XX-XX-XX
The "Duplicate Name" issue is not at all related to WINS/DNS configuration.
Upon consulting the event logs for the machine, the security log shows a
very high number of failed logins (Message ID:529) from a specific machine
located at one of our foreign branches in a seperate "complete trust"
domain. All of these failed logins appear at a very regular occurrence of
one failed login every 4 minutes. The times these failed logins occurr also
normally run on strange days (eg: Saturdays/Sundays very late in the
evening) and appear to run for hours on end. In between all these failed
logins, we also receive a lockout (Message ID: 644) every 13 minutes from
the same computer on the domain "Guest" account which is not even enabled.
I do not have a huge amount of expertise in security matters, but I am very
concerned about situations currently. Is this machine under attack ? In my
experience, programs that brute force passwords will make hundreds of
connections a minute, so why do the logs only show one connection every 4
minutes ? Is it possible that somebody may be "spoofing" the machine's name
The machine in question runs NT Server 4.0, Service Pack 6a and Microsoft
SQL Server 7. Network is TCP/IP.
Ian de Villiers