Advertisement

04.12.2007 at 11:39AM PDT, ID: 22507936
[x]
Attachment Details

Under attack: security audit failures - event 529

Asked by KPI1 in Watchguard Firewall, Miscellaneous Security, Windows 2003 Server

Tags: , , , ,

Since 4/9/07, I have 119,132 security audit failures (event id 529) and counting in my security log on my domain controller (Win2k3 SP1).

In the past, there have been attacks of shorter duration which run scripts against my open ports testing something like 3 different usr/pwd combinations per second. All previous attacks lasted at most a couple of hours. Now this one is going on for days already.

I have ports 25, 80, 110 and 3389 open on my Watchguard Firebox X500. All ports forward to my DC.

I need to put a stop to this but I am clueless/helpless how to start. I don't think there has been a successful hack (yet), but I can't just sit there and watch this go on forever and ever.

A sample event would look like this:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:            luis
       Domain:            my domain
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      my domain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      812
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -Start Free Trial
[+][-]04.12.2007 at 12:05PM PDT, ID: 18900716

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Watchguard Firewall, Miscellaneous Security, Windows 2003 Server
Tags: 529, event, id, audit, security
Sign Up Now!
Solution Provided By: r-k
Participating Experts: 1
Solution Grade: B
 
 
[+][-]04.12.2007 at 12:26PM PDT, ID: 18900873

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.12.2007 at 01:28PM PDT, ID: 18901307

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32