We have 822 occurrences of the following:
[CRITICAL] I_NetlogonLdapLookup: unrecognized character <Chinese characters>
in the last 2 days. The previous thread on this subject was marked "Answered" without being answered, so I'm re-asking:
1. Does anyone have any substantive information about what's sourcing this?
2. How can I associate a source IP with a single entry in the netlogon.log?
Here's what we know so far:
We have a Chinese linguist who has broken the character string down to 2 sections, the first being the same for all occurrences and the second being random-looking. He says the first section refers to "boats" or "water" and is looking farther, but he says the string definitely looks like virus-like activity.
Second, I_NetlogonLdapLookup is a function inside netlogon.dll, so intuition says something is trying to do an LDAP lookup on the Chinese character string. We are looking into exactly how that function is supposed to be called (we're network guys, not coders, so this may take longer than it should). Can someone help shorten this search?
C: There's no consistent contextual activity surrounding the actual log entries, so we're expecting to find out that there's more than one source, so it's extra important we figure out how to associate a source IP with these [CRITICAL] log entries, especially since we may be looking for a root kit or something else that's able to hide from our multiple AV programs.
Assistance is appreciated, good analytical step-oriented result-generating assistance is GREATLY appreciated!
Robert
Oh yeah -- this is being logged on a DC in a 2008R2 domain with a small but growing number of 2012 member servers and almost no remaining servers lower than 2008R2. I can provide more details if anyone needs them