Par*_*ram 9 windows windows-server-2008 windows-event-log eventviewer
我在我的服务器上收到了很多失败审计。从日志中,我已经确定了罪魁祸首的特定机器。如何识别哪个进程正在发送登录请求?
你知道如何找出答案吗?
下面是日志的详细信息。
\QKSRVDC212 上的安全日志:
[2465151] Microsoft-Windows-Security-Auditing
Type: FAILURE AUDIT
Computer: QKSRVDC212.Corp.abc.com
Time: 7/26/2012 9:31:00 AM ID: 4625
An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Quality
Account Domain: QDMNT140
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: QDMNT140
Source Network Address: 10.1.1.185
Source Port: 3973
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
在登录源系统“QDMNT140”上,使用netstat -ano | findstr 3973查看哪个进程打开了匹配的源端口“3973”。如果端口不是静态的,请将 3973 替换为端口更改的值。
| 归档时间: |
|
| 查看次数: |
7317 次 |
| 最近记录: |