Notification

Icon
Error

Lansweeper attempts egregious number of logins

Posted: Thursday, July 9, 2020 5:47:22 PM(UTC)
dc74

dc74

Member Original PosterPosts: 1
0
Like
Hello all,

I'm having an issue with a program called splunk along with lansweeper. We are currently getting upwards of 100,000+ event triggers caused by our lansweeper account evidently trying to login to a few servers. An example of one of the splunk alerts follows:

Quote:
Jul 8 09:54:17 <IP Address> Jul 8 13:54:13 SEC02 ossec: Alert Level: 3; Rule: 18107 - Windows Logon Success.; Location: (<Azure Server 2>) any->WinEvtLog; user: <Lansweeper account>; 2020 Jul 08 09:54:10 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: <Lansweeper account>: <Company Name>: <azure server 2. company name.com>: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-796845957-1078145449-725345543-35416 Account Name: <Lansweeper Account> Account Domain: <company name> Logon ID: 0xe4bfe94 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: <Lansweeper Server> Source Network Address:<IP Address> Source Port: <port> Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128


This is one of 3 nearly identical emails received in the same millisecond. Additionally, when I try to scan the servers in question on the Lansweeper console I get this error message:

Quote:
ActiveDirectory_DomainService Event 1481 Directory Service <company name>\<Lansweeper account name> 07/09/2020 12:06:11

Internal error: The operation on the object failed.

Additional Data
Error value:
2 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
''


For security reasons I have not attached errorlog.txt yet.

I have a ticket in with Lansweeper support, but have not heard back from them yet. This is a pressing issue, so I'm coming to the forums with it.
FrankSc
#1FrankSc Member Administration Posts: 43  
posted: 7/10/2020 2:54:11 PM(UTC)
Hi,

As also answered in the ticket you created, we don't expect these types of alerts to be generated by Lansweeper. To isolate this you could change the password for this account in Lansweeper only, this could clarify the origin of the alerts.

Active Discussions

Lansweeper Help Desk Workflow
by  lswanson   Go to last post Go to first unread
Last post: Yesterday at 11:12:21 PM(UTC)
Lansweeper Changing to remote scanning due to COVID
by  FrankSc  
Go to last post Go to first unread
Last post: Yesterday at 9:35:26 PM(UTC)
Lansweeper Not giving hackers the Domain Admin password / account
by  FrankSc   Go to last post Go to first unread
Last post: Yesterday at 9:27:13 PM(UTC)
Lansweeper LsAgent failing - Lansweeper SSL Expired
by  lansweeper25t34  
Go to last post Go to first unread
Last post: Yesterday at 8:33:28 PM(UTC)
Lansweeper Is there a chance to get the firewall off via Lansweeper?
by  EDV_OHZ   Go to last post Go to first unread
Last post: Yesterday at 4:57:26 PM(UTC)
Lansweeper Merge Asset button
by  KeithBecker  
Go to last post Go to first unread
Last post: 8/5/2020 9:27:54 PM(UTC)
Lansweeper Merge Two Assets or Update Based on Serial Number
by  KeithBecker   Go to last post Go to first unread
Last post: 8/5/2020 9:25:16 PM(UTC)
Lansweeper Hyper-V guest assets
by  bgstein  
Go to last post Go to first unread
Last post: 8/5/2020 5:50:24 PM(UTC)