Re: Event Viewer - Security Log
If I recall correctly, UltraVNC tests to see if the Guest user is
enabled by logging on as "isdiua". This user account does not exist,
of course, and hence the "Unknown user name" failure. When Guest is
enabled, the isdiua will login with guest access (even though the
account does not exist).
So, my guess is someone is attempting to login over Vnc with the
Helpdesk account. UltraVNC first tries guest access, which fails, and
then tries explicit Helpdesk credentials.
If this happens regularly, then you could use TCPView. Run it on the
Citrix server and watch which TCP connections open at the time the
event occurs. Watch to see which IP address is attempting the Vnc
connection.
Regards,
J Wolfgang Goerlich
TCPView for Windows v2.4
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
On Sep 6, 1:02 pm, CCI Helpdesk
<CCIHelpd...@discussions.microsoft.com> wrote:
> JWG,
>
> Yes, we have UltraVNC installed.
>
> CCI
>
>
>
> "jwgoerl...@gmail.com" wrote:
> > That is strange. Is Vnc installed on this Citrix server, by chance?
>
> > J Wolfgang Goerlich
>
> > On Sep 6, 11:20 am, CCI Helpdesk
> > <CCIHelpd...@discussions.microsoft.com> wrote:
> > > Roger,
>
> > > Thanks - this is a Citrix Server - we do not have an account "isdiua" in our
> > > domain by that name.
>
> > > Unless it is some acronym for a Microsoft service?
>
> > > It is like we are "hit" with that login as an initial login attempt for a
> > > non-account then attempting to user our Helpdesk account to login. After that
> > > the next entry shows the Helpdesk account has been locked out. It looks like
> > > we are being probed with some password attack agent - is there a way to
> > > detect that?
>
> > > We are trying to figure out how the "vermin" are attempting to use the
> > > single logon NTLM authentication to gain access.
>
> > > Thanks
> > > CCI Helpdesk
>
> > > "CCI Helpdesk" wrote:
> > > > Folks,
>
> > > > We are seeing this entry in the Security log of our event viewer on one of
> > > > our servers.
>
> > > > It is usually followed by a failed attempt to login with a standard user
> > > > account.
> > > > The account usually gets "locked out"
>
> > > > This is what we see prior to the "lock out"
>
> > > > Logon Failure:
> > > > Reason: Unknown user name or bad password
> > > > User Name: isdiua
> > > > Domain: CCI-USA
> > > > Logon Type: 3
> > > > Logon Process: NtLmSsp
> > > > Authentication Package: NTLM
>
> > > > Has anyone see this before? Is someone piggybacking on someone's login the
> > > > network from a remote computer?
>
> > > > Please advise.
>
> > > > CCI Helpdesk.- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -