Re: EventID 529 Logged 1723 Times in one Day!

Thanks for the prompt response. The usual ports are open for RWW, VPN & FTP
plus VNC. So: 80, 25, 443, 444, 4125, 1723, 3389, 47, 123, 21 & VNC
5500,5800 & 5900. Std and I'm using a hardware firewall router with
corresponding ports open. I guess I could change the port assignments. Any
useful KB articles on same?
--
David @ Solsletta


"Cris Hanna [SBS-MVP]" wrote:

with all those different names, appears to be a hack attack
when you look at the event do you see an IP are they consistent?

have you gone to www.grc.com and run Shields Up to see what's open?
Is port 80 open?
Is port 21 open for FTP?

Are you running Std. or Premium?
If Std. what are you doing for a firewall?
"David" <David@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5B853CCB-3DB3-41A5-A7BB-7EA41680AB2B@xxxxxxxxxxxxxxxx
This is appearing in the logswith varying User Names:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 14/09/2007
Time: 02:18:30
User: NT AUTHORITY\SYSTEM
Computer: MAC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: pop
Domain: MACPROSOL
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MAC
Caller User Name: MAC$
Caller Domain: MACPROSOL
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2144
Transited Services: -
Source Network Address: -
Source Port: -

The events are logged consistently but are intermittent. Generally
occurring every 2 seconds for several hours with one user name then
ceasing
for a few hours or days before starting with another user name.
Examples of
names are: pop, dns, test123, admin, administrator.

Hack attempt and apart from turning off remote access any ideas?
--
David @ Solsletta

.

Relevant Pages

  • Re: Another security question/issue.
    ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
    (microsoft.public.windows.server.sbs)
  • RE: Event ID 529 Logon Failure - Under Attack?
    ... event 529 is created but there is not source IP and Port recorded. ... This was a hack attack against the FTP server. ... <is not in the event log entry, the initial impression is that the attack ... Event ID Logon failures every couple of days. ...
    (microsoft.public.windows.server.sbs)
  • Re: Been hacked about 4 times now. Wanna be the 5th?
    ... So you mean your firewall blocks all outbound access other than to port 80 ... users can logon to your server. ... Caller User Name: KINGSERVER2000$ ...
    (microsoft.public.windows.server.security)
  • Re: SBS SP2 w/ISA Error 529
    ... When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10. ... Source port isn't the same as the port your server is listening on. ... Why is my server unable to lock out the Administator account?? ... > Caller User Name: MOBILE01$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Another security question/issue.
    ... There are now MASSIVE attacks on port 25 all over the world. ... is trying to hack port 25, hack server / try to relay. ... Logon Process: Advapi ... Caller User Name: servername$ ...
    (microsoft.public.windows.server.sbs)
Loading