Re: EventID 529 Logged 1723 Times in one Day!
- From: David <David@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 15 Sep 2007 15:14:01 -0700
Forgot. No - no source IP.
--
David @ Solsletta
"Cris Hanna [SBS-MVP]" wrote:
with all those different names, appears to be a hack attack.
when you look at the event do you see an IP are they consistent?
have you gone to www.grc.com and run Shields Up to see what's open?
Is port 80 open?
Is port 21 open for FTP?
Are you running Std. or Premium?
If Std. what are you doing for a firewall?
"David" <David@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5B853CCB-3DB3-41A5-A7BB-7EA41680AB2B@xxxxxxxxxxxxxxxx
This is appearing in the logswith varying User Names:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 14/09/2007
Time: 02:18:30
User: NT AUTHORITY\SYSTEM
Computer: MAC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: pop
Domain: MACPROSOL
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MAC
Caller User Name: MAC$
Caller Domain: MACPROSOL
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2144
Transited Services: -
Source Network Address: -
Source Port: -
The events are logged consistently but are intermittent. Generally
occurring every 2 seconds for several hours with one user name then
ceasing
for a few hours or days before starting with another user name.
Examples of
names are: pop, dns, test123, admin, administrator.
Hack attempt and apart from turning off remote access any ideas?
--
David @ Solsletta
- Follow-Ups:
- References:
- Re: EventID 529 Logged 1723 Times in one Day!
- From: Cris Hanna [SBS-MVP]
- Re: EventID 529 Logged 1723 Times in one Day!
- Prev by Date: Re: EventID 529 Logged 1723 Times in one Day!
- Next by Date: Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS
- Previous by thread: Re: EventID 529 Logged 1723 Times in one Day!
- Next by thread: Re: EventID 529 Logged 1723 Times in one Day!
- Index(es):
Relevant Pages
|
