Posted October 28, 200816 yr while looking at the security event logs for my main file server / DC i noted several unusual entries from last night. The server is 2K3, current sp, and fully patched (including MS08-067). Beginning at 8:01:51 pm and going until 9:45:43 pm, there were entries for Event ID 673 for several of our users and a few machines. There was no one in at that time and all work stations were shut down. At varying times the different accounts showed up in two entries. Both were event id 673. all entries showed the client address as 127.0.0.1. the first entry service name was "fileserver2$" (where fileserver2 is a win 2k server at another branch) and the second entry service name is "krbtgt". The entries show in pairs at the same time and are spread out at irregular intervals. Looking through the other logs, I cannot find any other entries that correspond. Fileserver2 had not been updated with the MS08-067 patch at that point (was applied this morning). Is this evidence of a possible attack or something more benign? Why would all of the client addresses be 127.0.0.1 on the fileserver/DC? Thanks in advance for any light anyone can shed on this mystery.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.