RE: Account Lockout (Event ID: 539) Alert message

• From: damianl@xxxxxxxxxxxxxxxxxxxx ("Damian N Leibaschoff [MSFT]")
• Date: Wed, 01 Feb 2006 21:45:59 GMT

Hi,
Sounds like something running on a machine named WX98 is trying to login 
using NTLM as "steve" and not using the right password.
I would concentrate on checking what may be running on that box, even 
consider that it could be infected. You can also run a netmon trace from 
the server to try to catch traffic from this workstation coming to the 
server.

Regards,
Damian

Damian N. Leibaschoff, MS IST, MCSE
Microsoft Corporation

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via

your newsreader so that others may learn and benefit

from your issue. 

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Adam Butler" <adambutler100@xxxxxxxxxxx>
>Subject: Account Lockout (Event ID: 539) Alert message
>Date: Tue, 24 Jan 2006 07:20:29 -0600
>Lines: 89
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>Message-ID: <OyJezjOIGHA.1388@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: adsl-67-67-117-89.dsl.stlsmo.swbell.net 67.67.117.89
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:238931
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hello,
>
>All of a sudden I've been getting a bunch of messages emailed to me from 
my 
>SBS box with a subject just like the subject of this post.
>
>My problem is, I can't determine the source of the attempted logons to my 
>user account!
>
>I review the SBS event security log and I see the failed logs but they do 
>not contain any info as to the source.
>
>It seems as though this event is triggered and logged roughly every two 
>hours. It looks tlike the event is logged 5 or 6 times when the illegal 
>login takes place which cause the account lockout event.
>
>I'll post the SBS generated email below as well as a copy from one of the 
>actual event logs.
>My question is, is there anyway possible to figure out the source that is 
>causing these errors?
>Some type of logging I can turn on?
>
>I have blocked ALL public access to the SBS box from the public internet 
but 
>the errors continue.
>This tells me that it is from the LAN side of my firewall.
>
>Here are the error message email as well as a copy of the event log.
>Thanks for any suggestions!
>Adam
>
>SBS generated email:
>
>  thread-index: AcYg2wA4f5D2HtXlTmSLUsfrAOWkYg==
>  Thread-Topic: Account Lockout (Event ID: 539) Alert on WX98
>  From: "WX98" <macoone@xxxxxxxxxxxxxxxx>
>  To: <adam@xxxxxxxxxxxxxxxx>
>  Cc:
>  Bcc:
>  Subject: Account Lockout (Event ID: 539) Alert on WX98
>  Date: Tue, 24 Jan 2006 05:40:40 -0600
>  X-Mailer: Microsoft CDO for Exchange 2000
>  Priority: normal
>  X-OriginalArrivalTime: 24 Jan 2006 11:40:40.0039 (UTC) 
>FILETIME=[003A5F70:01C620DB]
>
>
>  Alert on WX98 at 1/24/2006 5:40:39 AM
>
>
>  An account was locked out due to multiple failed logon attempts that 
>occurred in a short period of time. This may occur if an unauthorized user 
>attempts to gain access to the network.
>
>
>  For more information about this event, see the event logs on the server 
>computer.
>
>
>  You can disable this alert by using the Change Alert Notifications task 
in 
>the Server Management Monitoring and Reporting taskpad.
>
>And the Security Event Log for this event:
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Logon/Logoff
>Event ID: 539
>Date:  1/24/2006
>Time:  05:45:35
>User:  NT AUTHORITY\SYSTEM
>Computer: WX98
>Description:
>Logon Failure:
> Reason:  Account locked out
> User Name: steve
> Domain: MISSILEKRUSE
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: WX98
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
>
>

Damian N. Leibaschoff, MS IST, MCSE
Microsoft Corporation

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via

your newsreader so that others may learn and benefit

from your issue. 

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

.

• Follow-Ups:
  • Re: Account Lockout (Event ID: 539) Alert message
    • From: Adam Butler

• Prev by Date: Re: Remote Desktop Connection does not work
• Next by Date: Re: How does a SBS device CAL get used?
• Previous by thread: SBS setup over VPN fails
• Next by thread: Re: Account Lockout (Event ID: 539) Alert message
• Index(es):
  • Date
  • Thread

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint