Unusual security event logs

[Guest r. wales]

while looking at the security event logs for my main file server / DC i noted

several unusual entries from last night. The server is 2K3, current sp, and

fully patched (including MS08-067). Beginning at 8:01:51 pm and going until

9:45:43 pm, there were entries for Event ID 673 for several of our users and

a few machines. There was no one in at that time and all work stations were

shut down. At varying times the different accounts showed up in two entries.

Both were event id 673. all entries showed the client address as 127.0.0.1.

the first entry service name was "fileserver2$" (where fileserver2 is a win

2k server at another branch) and the second entry service name is "krbtgt".

The entries show in pairs at the same time and are spread out at irregular

intervals. Looking through the other logs, I cannot find any other entries

that correspond. Fileserver2 had not been updated with the MS08-067 patch at

that point (was applied this morning). Is this evidence of a possible attack

or something more benign? Why would all of the client addresses be 127.0.0.1

on the fileserver/DC?

 

Thanks in advance for any light anyone can shed on this mystery.

[Guest kbits.net]

Normally when the first byte is 127 it indicates the host itself. I think

there is a registry fix for that if the patch is not resolving it. Check

Google. Hope this helps.

 

"r. wales" wrote:

<span style="color:blue">

> while looking at the security event logs for my main file server / DC i noted

> several unusual entries from last night. The server is 2K3, current sp, and

> fully patched (including MS08-067). Beginning at 8:01:51 pm and going until

> 9:45:43 pm, there were entries for Event ID 673 for several of our users and

> a few machines. There was no one in at that time and all work stations were

> shut down. At varying times the different accounts showed up in two entries.

> Both were event id 673. all entries showed the client address as 127.0.0.1.

> the first entry service name was "fileserver2$" (where fileserver2 is a win

> 2k server at another branch) and the second entry service name is "krbtgt".

> The entries show in pairs at the same time and are spread out at irregular

> intervals. Looking through the other logs, I cannot find any other entries

> that correspond. Fileserver2 had not been updated with the MS08-067 patch at

> that point (was applied this morning). Is this evidence of a possible attack

> or something more benign? Why would all of the client addresses be 127.0.0.1

> on the fileserver/DC?

>

> Thanks in advance for any light anyone can shed on this mystery.</span>

[Guest Alun Jones]

"kbits.net" <kbitsnet@discussions.microsoft.com> wrote in message

news:31010EF2-8D89-472A-B9D6-68DDAF63006B@microsoft.com...<span style="color:blue">

> Normally when the first byte is 127 it indicates the host itself. I think

> there is a registry fix for that if the patch is not resolving it. Check

> Google. Hope this helps.</span>

 

While that is true, it is possible to forge packets on the network wire that

"come from" 127.0.0.1.

 

Sometimes it's even possible to do it by accident - I had a customer trying

to get his system to work with a bunch of Sun workstations several years

ago - he just couldn't get the Windows system to talk to any of the Suns, or

vice-versa. It turned out in the end that he actually had the systems set up

to use "127.0.0.0/8" as his local subnet. Microsoft isn't the only company

that skip-reads RFCs style_emoticons/

 

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.