我在我的服务器上收到了很多失败审计。 从日志,我已经确定了罪魁祸首的特定机器。 如何识别哪个进程正在发送login请求?
你有什么想法如何找出?
以下是日志的细节。
安全login\ QKSRVDC212:
[2465151] Microsoft-Windows-Security-Auditing Type: FAILURE AUDIT Computer: QKSRVDC212.Corp.abc.com Time: 7/26/2012 9:31:00 AM ID: 4625 An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Quality Account Domain: QDMNT140 Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: QDMNT140 Source Network Address: 10.1.1.185 Source Port: 3973 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 在login源系统“QDMNT140”上使用netstat -ano | findstr 3973 netstat -ano | findstr 3973查看哪个进程打开了匹配的源端口“3973”。 如果端口不是静态的,则将其replace为3973。