Event ID 7 in Windows 2000 Server Event-Log

Mel Riser mel.riser at fxfn.com
Fri Jun 20 13:12:00 EDT 2003


I am seeing this error on WIN2K KDC in my lab.

I traced the IP's back to a hacker group in Taiwan and they are trying a buffer overflow to change usernames and break in.

If anyone gets a better idea of the process and function call they are making, please forward to the list. 

My IDS is triggering on the error as well.

my  solution for now is to block that IP range at the screening router on the edge.

hope to grep the logs this weekend and try and correlate the events in IDS to the Win2k error log


mel

-----Original Message-----
From: Holderfield, Jason [mailto:jholderfield at ritaohio.com]
Sent: Friday, June 20, 2003 8:40 AM
To: 'kerberos at mit.edu'
Subject: Event ID 7 in Windows 2000 Server Event-Log


I have received the error below on one of my domain controllers. Wondering
if any resolution has been found. Microsoft has no information:

Event Type:	Error
Event Source:	KDC
Event Category:	None
Event ID:	7
Date:		6/18/2003
Time:		4:53:25 PM
User:		N/A
Computer:	
Description:
The Security Account Manager failed a KDC request in an unexpected way. The
error is in the data field. The account name was ⭄竇䓹粥琞敗ِߕ崨ߕ￿￿⤀ and
lookup type 0x100.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c0000034


Any suggestions/ideas?
Thank you,
jholderfield at rita.to <mailto:jholderfield at rita.to> 



**********************************************************************
CONFIDENTIALITY NOTICE: This message is intended only for the
lawful and specified use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are strictly prohibited from disclosing, printing, storing, disseminating, distributing or copying this communication, or admitting to take any action relying thereon, and doing so may be unlawful. It should be noted that any use of this communication outside of the intended and specified use as designated by the sender, may be unlawful. If you have received this communication in error, please notify the Regional Income Tax Agency (R.I.T.A) Operations Group @ 440-922-3275 or via e-mail security at rita.to <mailto:security at rita.to> and delete the message from your computer.  Thank You.
**********************************************************************

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list