cookd47
asked on
Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
I m getting the following error evry night around 8PM on a Domain Controller running SBS 2003
The ID, Support, is a domain admin
There are sometimes 7 - 700 security errors.
From my research, it couod be application, or a "Hack Attack"
How can I identify, and resolve this problen.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/10/2008
Time: 9:08:18 AM
User: NT AUTHORITY\SYSTEM
Computer: Servername
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Support
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: Servername
Caller User Name: Servername$
Caller Domain: Domain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4696
Transited Services: -
Source Network Address: -
Source Port: -
The ID, Support, is a domain admin
There are sometimes 7 - 700 security errors.
From my research, it couod be application, or a "Hack Attack"
How can I identify, and resolve this problen.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/10/2008
Time: 9:08:18 AM
User: NT AUTHORITY\SYSTEM
Computer: Servername
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Support
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: Servername
Caller User Name: Servername$
Caller Domain: Domain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4696
Transited Services: -
Source Network Address: -
Source Port: -
ASKER
Title:Event id; 529 MICROSOFT_AUTHENTICATION_P
Administrator login failed 1027 times between 2000 last nigt and 0400 this morning. We normally get between 6 -12 event 529 evary night
I will reward 1000 points for a solution.
How can we trace the source of this event?
There is nothing in the SonicWall log that suggest a "Brute Force" hack attempt
Administrator login failed 1027 times between 2000 last nigt and 0400 this morning. We normally get between 6 -12 event 529 evary night
I will reward 1000 points for a solution.
How can we trace the source of this event?
There is nothing in the SonicWall log that suggest a "Brute Force" hack attempt
this could also be a backup job trying to run using the support username
check all the task on the server . check if you see any task runnin at 8 . check the user name user to run the task .
check all the task on the server . check if you see any task runnin at 8 . check the user name user to run the task .
ASKER
I suspect that it is the backup, but am unable to find an error in the backup log, or windows log (other than security events). The backup takes most of the night. they have an application that backs uo a database as well. Most nights we only get a few errors, but about every 8 - 10 days we get 600 - 1100 events. It is almost certainly an application/backup issue; I would like to track it down, document the cause, and present it to the client, who believes that Hackers are after his system.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There was a drive mapped prior to the last password change
Be a good idea to run a virus scan just in case.
Olaf