What is VPNz?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm investigating a hacking attempt on our Windows 2003 server. We had 56
bad attempts to guess a user's password. Below is the detail of the attempt
with the identifiable information removed:

Logon Failure:
Reason: Unknown user name or bad password
User Name: (e-mail address removed)
Domain: OUR_DOMAIN
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: AUB04
Caller User Name: OUR_SERVER$
Caller Domain: OUR_DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 8224
Transited Services: -
Source Network Address: XXX.XXX.XXX.XXX
Source Port: 1224

Looking up port 1224, it appears to be something called VPNz... what is VPNz
and what should I do about it? The password has already been changed.

Thanks,
Dan
 
Sounds like someone is using a script to try to log onto your servers using
a clear text password.
They were denied.

Be wary of a logon type 8 that succeeds.

Is the username a good username on your domain?
If so, how did they get it, if it is a hack?
If it is good, check with the user to see if they have some sort of script
running with their username and (a bad) password that would cause this.
Maybe they changed their password on the domain but not in the script.


hth
DDS
 
Big reason I'm worried is because the account did end up getting
authentication on that port. The owner of the account isn't technical enough
to write a script, so that wouldn't be it.
 
Source port would be a random port. My guess is you looked up what port 1224
could be used as a destination or "server" port. Since it looks like you
know the workstation name I would take a close look at what is going on with
that computer [malware, expired credentials used for process, etc] and
possibly users using it during that time frame.

Steve
 
I think the IP address may be the user's home computer. I was thinking that
VPNz was the issue (based on the port). Makes sense now. I've already asked
her to scan her home computer.

Thanks,
Dan

Steven L Umbach said:
Source port would be a random port. My guess is you looked up what port 1224
could be used as a destination or "server" port. Since it looks like you
know the workstation name I would take a close look at what is going on with
that computer [malware, expired credentials used for process, etc] and
possibly users using it during that time frame.

Steve


Dan Getz said:
I'm investigating a hacking attempt on our Windows 2003 server. We had 56
bad attempts to guess a user's password. Below is the detail of the
attempt
with the identifiable information removed:

Logon Failure:
Reason: Unknown user name or bad password
User Name: (e-mail address removed)
Domain: OUR_DOMAIN
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: AUB04
Caller User Name: OUR_SERVER$
Caller Domain: OUR_DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 8224
Transited Services: -
Source Network Address: XXX.XXX.XXX.XXX
Source Port: 1224

Looking up port 1224, it appears to be something called VPNz... what is
VPNz
and what should I do about it? The password has already been changed.

Thanks,
Dan
Click to expand...
Click to expand...
 
Back
Top