|Subject:||Unusual security event logs|
|Posted by:||r. wales (rwal…@discussions.microsoft.com)|
|Date:||Tue, 28 Oct 2008|
while looking at the security event logs for my main file server / DC i noted
several unusual entries from last night. The server is 2K3, current sp, and
fully patched (including MS08-067). Beginning at 8:01:51 pm and going until
9:45:43 pm, there were entries for Event ID 673 for several of our users and
a few machines. There was no one in at that time and all work stations were
shut down. At varying times the different accounts showed up in two entries.
Both were event id 673. all entries showed the client address as 127.0.0.1.
the first entry service name was "fileserver2$" (where fileserver2 is a win
2k server at another branch) and the second entry service name is "krbtgt".
The entries show in pairs at the same time and are spread out at irregular
intervals. Looking through the other logs, I cannot find any other entries
that correspond. Fileserver2 had not been updated with the MS08-067 patch at
that point (was applied this morning). Is this evidence of a possible attack
or something more benign? Why would all of the client addresses be 127.0.0.1
on the fileserver/DC?
Thanks in advance for any light anyone can shed on this mystery.