search cancel

VMWare - Vcenter - Authentication Brute Force” behavior from <IP><HOST> <IP><HOST> with source user as “root”

book

Article ID: 242962

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

SWIFT - VMWare - Vcenter - Authentication Brute Force” behavior from 10.214.206.120 (gdcpavc0053) and 10.214.206.124 (gdcpavc0057) with source user as “root”

Destination Host : <host>

Destination IP: <IP>

This incident occurred on Apr 24th and May 03rd.  Did not happen again.

Environment

Release : 3.4

Component : 

Resolution

The issue only occured twice.  Network team provided a report showing the root account tried to be verified against the PAM host every 1-5 second about 20 times.  This seemed to trigger the network security team application and VMware of a possible DOS\brute force attack.  Unfortunately, this was reported to support 2 months after the issue occurred.  No logs or information from PAM on what might have occurred.  It seems there was a network change or issue on those two dates.  On those two dates, PAM was never down so logs may not have shown anything even if they existed.