I have a MOSS 07 server joined on a domain. In SharePoint Services there is an import connection to this domain with the auto discover domain server checked. Recently the MOSS server has begun flooding one of our domain servers with logon requests - roughly 30 per second. All of these requests fail. In Event Viewer on the Domain server these requests show up as an audit failure. The requests seem to go through a cycle of attempting to log on using an account and then validating the credentials of the same account. The details of the failed requests from Event Viewer are below. I can't really glean anything from these apart from that it appears that the administrator account on the MOSS machine, i.e. the local administrator account is trying to log on to our domain. But why would a local account try to log onto a domain? I assume its the local account because under "Account For Which Logon Failed:" and "Account Domain:" the name of the MOSS server is listed and not the name of our domain. Any thoughts appreciated on this, thanks. Here are two of the Event viewer events: ==================================================== An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: name-of-moss-server Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: NAME-OF-MOSS-SERVER Source Network Address: 10.4.XX.XXX Source Port: 4612 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 ==================================================== The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: NAME-OF-MOSS-SERVER Error Code: 0xc000006a ====================================================

Hi Ivan, The site is used internally only in a school and is for development. I was not here when the SP server was installed and configured but the admin account may have been used while doing these. I just had a look at the Event Viewer on the SP machine and found corresponding events for the logon events on the Domain server except these are called "Success Audit". On these events the "User whose credentials were used" match up with the "Account for which logon failed" on the Domain server events, i.e. it is the local admin account on the SP server. But a new piece of information here is the "Logged on user" which gives the name of the WSS Service Account - the account which runs the 'w3wp.exe' and 'OWSTIMER.exe' processes. Does this provide any further insight into why these logon attempts are being sent to the domain server? Could this indicate that someone is trying to brute force into the SP admin account through the SP web interface? I found that these logon attempts are also being sent from the live SP server accessible by students externally so do you think think this is a hack attempt? Thanks again. Here is a "Success Audit" log on attempt event on the SP server of which there is a corresponding "Audit failure" event on the domain server: =================================================== Logon attempt using explicit credentials: Logged on user: User Name: WSSServiceAccount Domain: OURDOMAIN Logon ID: (0x0,0x216FA) Logon GUID: {e273d101-b870-fb45-b34e-4bf7555f8c09} User whose credentials were used: Target User Name: Administrator Target Domain: name-of-moss-server Target Logon GUID: - Target Server Name: name-of-domain-server.OURDOMAIN Target Server Info: name-of-domain-server.OURDOMAIN Caller Process ID: 2400 Source Network Address: - Source Port: -

Yes it would appear so, but not SPAdmin just the default NT Admin account, you can change the name of the local Admin Account you should be able to report it by gathering the IP Address and explicitley block (internally get the MAC address and not allow them on the network, go to their desk) or dorm and shut them down, kiof the its the only time I have seen authentication requests being made 30 times a second and being unsuccessful. Sounds lo;ike a brute force attack. However, since tghey only have the sever name they havnt been sniffig the traffic. for the domain. You may want to if you havent already use forms based authentication and use SSL for the external site this would encrypt the username and password information and make it more difficult for scripts to be run against your website... Tools like Lopht Industries are very good at cracking hashed passwords... -IvanIvan Sanders My LinkedIn Profile, My Blog, @iasanders.