Re: How to ascertain what failed logins is caused by

---

• From: "Teneo" <not@xxxxxxxx>
• Date: Sat, 13 Sep 2008 20:48:23 +0100

---

Hi Siv, the key here is MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

This is an attempt on your email / port 25 system, use you as a relay.

Switch on SMTP logging and in the logs you will find the IP to block if you
wish to investigate.

Hope it helps



"Siv" <Siv@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:684FF36A-75A4-429A-A340-8F01B31C8707@xxxxxxxxxxxxxxxx

Hi,
One of my client's Serve logs this morning show that there have been 500
od
failed login attempts. Looking in the Security Event Log I can see it's a
brute force attempt with hundreds of attempts using single user name and
multiple passwords then a whole dictionary fiull of different user names.
Luckily we have pretty strong passwords so I am sure they have not managed
to
get in.

The problem I have is finding out what the error logs are telling me:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/09/2008
Time: 12:29:41
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: pentium
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER01
Caller User Name: SERVER01$
Caller Domain: MOUNTAINASH
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1692
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

What is a logon type 3 for instance and what are the Caller Logon ID and
Caller Process ID telling me?

Any help appreciated,

Siv
--
Martley, Near Worcester, UK

.

---

• Follow-Ups:
  • Re: How to ascertain what failed logins is caused by
    • From: Siv

• References:
  • How to ascertain what failed logins is caused by
    • From: Siv

• Prev by Date: How to ascertain what failed logins is caused by
• Next by Date: Re: Login Errors Seem to indicate we are being hacked?
• Previous by thread: How to ascertain what failed logins is caused by
• Next by thread: Re: How to ascertain what failed logins is caused by
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Another security question/issue. ... There are now MASSIVE attacks on port 25 all over the world. ... is trying to hack port 25, hack server / try to relay. ... Logon Process: Advapi ... Caller User Name: servername$ ... (microsoft.public.windows.server.sbs) Re: Login Errors Seem to indicate we are being hacked? ... wired LAN and I was wondering if the logins were coming through that. ... Switch on SMTP logging and in the logs you will find the IP to block if you ... Logon Failure: ... Caller User Name: SERVER01$ ... (microsoft.public.windows.server.sbs) Re: Another security question/issue. ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ... (microsoft.public.windows.server.sbs) Re: How to ascertain what failed logins is caused by ... wired LAN and I was wondering if the logins were coming through that. ... Switch on SMTP logging and in the logs you will find the IP to block if you ... Logon Failure: ... Caller User Name: SERVER01$ ... (microsoft.public.windows.server.sbs) Re: Authentication failures ... The user logs in every day. ... Logon Failure: ... Caller User Name: - ... The session setup from the computer BCCIJHINSLEY failed to authenticate. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)