On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137
>To get more detailed information I enabled Kerberos logging and this
>is what I get:
>A Kerberos Error Message was received:
> on logon session
> Client Time:
> Server Time: 13:46:44.0000 4/27/2010 Z
> Error Code: 0xd KDC_ERR_BADOPTION
> Extended Error: 0xc00000bb KLIN(0)
> Client Realm:
> Client Name:
> Server Realm: DOMAIN.LOCAL
> Server Name: host/dru001.domain.local
> Target Name: host/dru001.domain.local@newsgroup
> Error Text:
> File: 9
> Line: b22
> Error Data is in record data.
>I'm getting quite a lot of these accompanied by :
> User Name: Administrator
> User ID: DOMAIN\Administrator
> Service Name: krbtgt/DOMAIN
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 127.0.0.1
> Reason: Unknown user name or bad password
> User Name: administrator
> Domain: DOMAIN
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: DRU001
> Caller User Name: DRU001$
> Caller Domain: DOMAIN
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 6240
> Transited Services: -
> Source Network Address: 184.108.40.206
> Source Port: 1706
>The IP is external and has nothing to do with the client. I can't
>check what PID 6240 is as it doesn't exist any more. 0x18 means
>invalid pre-authentication usually meaning bad password. Right, so
>someone's trying. My question is why the firs two logs look like they
>were coming from the server itself. Could it be already compromised or
>is it something else?
Nslookup says it's a Twaiwan name.
You can also use http://www.ip2location.com
to find IP locations.
My suggestion is to simply block the IP, or if you don't do any
business with Taiwan, deny the whole Taiwan IP block.
This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.