Discussion:
User account lockout (by JCIFS)
(too old to reply)
Jan Nielsen
2007-03-14 17:14:41 UTC
Permalink
Hi

On an old NT4 domain I'm experiencing a specific user is being locked out
multiple times a day.
On the DCs I've found events with ID 644 from source Security. This event
entry should tell me from which machine the failing logon attampts are
comming. And it does, it says: JCIFS7_139_6D. My problem is that this name
is not registered in neither DNS nor WINS. Furthermore a computer account
with that name does not exist.
I've tried NBTSTAT (-c & -s) hoping to find the name, but no luck.

JCIFS seems to be an open source java implementation of of CIFS. Apparently
it makes up a name itself if it's not configured with one (which it probably
isn't regularly, as the parameter "jcifs.netbios.hostname" is listed under
"Less Commonly Used Properties" according to docs on jcifs.samba.org).
I'm not aware of such software on the network, but someone must have
introduced it.

My question is how can I make Windows tell me from which computer these
requests come from. Apparently Windows trusts the fake name invented by the
JCIFS host. How can I log the IP (without using a network sniffer) ?


vkr.
Jan Nielsen
j***@gmail.com
2007-03-15 11:45:12 UTC
Permalink
Post by Jan Nielsen
My question is how can I make Windows tell me from which computer these
requests come from. Apparently Windows trusts the fake name invented by the
JCIFS host. How can I log the IP (without using a network sniffer) ?
If the 644 events are being logged regularly, then you could use
TCPView. Run it on the domain controller and watch which TCP
connections open at the time the event occurs.

TCPView for Windows v2.4
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

Regards,

J Wolfgang Goerlich
taher vaziri
2010-10-27 20:42:32 UTC
Permalink
Hi Jan
I have the same problem in our company,
have you resolve the problem and how did you trace it?
I know JCIFS is an open source java implementation of CIFS
and it uses a fake name instead of real machine name.

Thanks in advance
Taher
Post by Jan Nielsen
Hi
On an old NT4 domain I'm experiencing a specific user is being locked out
multiple times a day.
On the DCs I've found events with ID 644 from source Security. This event
entry should tell me from which machine the failing logon attampts are
comming. And it does, it says: JCIFS7_139_6D. My problem is that this name
is not registered in neither DNS nor WINS. Furthermore a computer account
with that name does not exist.
I've tried NBTSTAT (-c & -s) hoping to find the name, but no luck.
JCIFS seems to be an open source java implementation of of CIFS. Apparently
it makes up a name itself if it's not configured with one (which it probably
isn't regularly, as the parameter "jcifs.netbios.hostname" is listed under
"Less Commonly Used Properties" according to docs on jcifs.samba.org).
I'm not aware of such software on the network, but someone must have
introduced it.
My question is how can I make Windows tell me from which computer these
requests come from. Apparently Windows trusts the fake name invented by the
JCIFS host. How can I log the IP (without using a network sniffer) ?
vkr.
Jan Nielsen
Post by j***@gmail.com
If the 644 events are being logged regularly, then you could use
TCPView. Run it on the domain controller and watch which TCP
connections open at the time the event occurs.
TCPView for Windows v2.4
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
Regards,
J Wolfgang Goerlich
Submitted via EggHeadCafe - Software Developer Portal of Choice
SharePoint Lists In Excel Via VSTO
http://www.eggheadcafe.com/tutorials/aspnet/b56c03b3-35ea-43c5-8b87-2f0be518377c/sharepoint-lists-in-excel-via-vsto.aspx
Loading...