General discussion

Locked

Security Log

By gregory.sewbalak ·
Hi All,

In the Event Viewer's Security Log I have some disturbing events. An example: I logged on to the server succesfully, so a successfull audit was registered in the Security Log. After being busy on this server for a while, I decided to check whether new events were logged in the Security Log. To my surprise a new event was logged with following details: account name = password, workstation = xyz. The account name does not exists on the domnain! The computer mentioned indeed is my computer from which I have made a connection to the server. This is not the only event with those strange non-existing account names. Who can tell me what is the matter?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Security Log

by gregory.sewbalak In reply to Security Log

BTW, the Event ID for these events is 529.

Collapse -

Security Log

by quintar51 In reply to Security Log

it looks like someone is trying to guess a valid user name/password. They might be using a 'dictionairy' attack.

Collapse -

Security Log

by quintar51 In reply to Security Log

I'm not too sure about this, but I think these types of attack use port 25. If that's the case, you'll need to block that port and assign a different port for SMTP.

Collapse -

Security Log

by gregory.sewbalak In reply to Security Log

The question was auto-closed by TechRepublic

Collapse -

Security Log

by Joseph Moore In reply to Security Log

Actually, if your workstation name is being listed as the workstation doing the connecting, then you might want to check out your system.
Event ID 529 is the Failure Audit. It looks like this:

Event Type: Audit Failure
Event Source: Security
Event Category: Logon/Logoff
Event I 529
Date: 12/12/2002
Time: 4:47:45 PM
User: SYSTEM
Computer: PDC01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: WORKSTATION
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\MYSYSTEM

The "Workstation Name" entry is the system that tried to do the failed logon. So, if your system is listed there, then either a)your system is running a process that is trying to connect but is failing due to an invalid logon name and/or password or b)someone is spoofing the workstation name and trying to connect remotely. Now, forging the workstation name probably is possible, but all of the tools I have seen that try and make NetBIOS connection attempts (over TCP port 139, technically) do not have the spoofing ability.
So, I would lean towards option A.

Now, what does that really mean? A Service could be set up on your system with this invalid logon name/password, and when the Service starts up, it fails due to the wrong name, and that generates the Event ID. That is very possible. So, check out Services.
Also, it could be a Schedule Job, doing basically the same thing. Check Scheduled Jobs.

Or, it could be a trojan file running on your system. Run an updated anti-virus program to look for trojans loaded on your system. Also run anti-spyware program (like Ad-Aware from Lavasoft) to look for spyware.

good luck

Collapse -

Security Log

by gregory.sewbalak In reply to Security Log

The question was auto-closed by TechRepublic

Collapse -

Security Log

by gregory.sewbalak In reply to Security Log

This question was auto closed due to inactivity

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums