Solved

What does it mean logs on NT Security event viewer?

Posted on 2001-06-17
9
282 Views
Last Modified: 2010-04-11
Hello!!

    I have a server NT4 SP6, I always monitor my NT security event viewer.  I just wondering sometimes I always received a security log type: "failure Audit"
Event ID: 529
Description:
  Logon Failure:
  Reason: Unknown user name or bad password
  User name: DENIS HAWES
  domain: CHAMBERS
  logon Type: 3
  logon process:  KSecDD
  Authentication package:
  Microsoft_authentication_package_V1_0
  Workstation Name: \\ DENIS

   What does it means?  All the information above the user, domain & workstation name are all irrelevant and does not exist on our network. We don't have firewall but according to our ISP they have. Is it okey?
   We are connected via modem 56KBPS to our local ISP.
  Please help.
0
Comment
Question by:bubana
  • 4
  • 3
  • 2
9 Comments
 
LVL 9

Expert Comment

by:TTom
Comment Utility
It means someone tried to login to your server using this information.  If your server has NTFS-protected directories (i.e., if the security does not provide open access for the "Everyone" group), when a user tries to access anything on the server, NT will issue a challenge/response, i.e., a logon dialog box will appear.  If the user fills in something, they will either be authenticated to access the resource they requested, or they will be denied (if their credentials do not match those of an authorized user).

Since this user is providing quite a bit of information here, I would suggest this is probably an error, rather than an attempt to hack your network.

However, if this recurs, I would suggest you evaluate your security, particularly the idea of having a firewall.  Better that you should be in control, rather than depending upon an ISP for protection.

You might ask your ISP if the domain and user make any sense to them.  There is a small possibility that this is one of their employees who is inadvertantly attempting to do something which points them to your network.

Tom
0
 
LVL 12

Accepted Solution

by:
Housenet earned 5 total points
Comment Utility
bubana I would interprite this as an attempt to gain access to your server..
-To test if your ISP is trully "protecting" your server...try this simple test..
1. Connect online with the 56k modem.. Get  your IP from the connection info after connected.. Say its 200.1.1.20
2. From a seperate connection (a friend on a different ISP would be ideal)... Ask him to see what happens when he tries to type this from run \\200.1.1.20  (anything happen?)
3. tell him to try from an NT at the cmd prompt
net use \\200.1.1.20\c$ /User:Administrator (Does it ask to supply the password?)
-If either of these tests ask for credentials or passwords then your ISP is not doing jack for you in terms of protection because the netbios ports 135-139 are open...
-If you give me your IP while you're online & these ports are open I can give you, your domain name, server name, all acounts, services, shares, probably the passwords for several of the accounts as well... Would you like to try it ?

http://www.eventid.net/display.asp?source=MoniLog&eventid=529
0
 

Author Comment

by:bubana
Comment Utility
Tom,

   I have a Follow up question,  via what way the hacker enters to our network? Our setup here is a dial-up connection 56kbps to our ISP in order to access internet.  My modem configures as dial-out only.  I forgot to tell you sometimes i got a logged user name as "anonymous" on category "logon/logoff" successfully without any username & domain info.  It does means they are log successfully to our domain without valid username domain authentication?
   What are network resources of ours this hackers access?
   Thanks for the information.
0
 
LVL 9

Expert Comment

by:TTom
Comment Utility
The Anonymous logon means someone has accessed a resource on your network.

If you are truly concerned about what is being done, I would suggest you audit access to all files.  This can be processor intensive, but it will tell you who is accessing what.

Does your network have Win95/98 machines on it?  Is everyone using the network required to have a valid logon id?  Are all the directories/sites on your web server configured to deny anonymous access (or, more specifically, not to allow it)?

NT is not terribly secure unless you make it so.  By default, the Everyone group is granted access to resources with Full Control.  This represents a great security risk, and you would be advised to pick up some information on NT security (there are whitepapers and books available which will help).

Sometimes, however, it is not that someone is trying to do something malicious, just that the configuration of the server makes it appear so.

Wish I could be more assistance.

Tom
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 12

Expert Comment

by:Housenet
Comment Utility
-So banana, hows it going with your problem >?
0
 

Author Comment

by:bubana
Comment Utility
housenet,

        working fine. I mean network still up and running.
The command you gave me got a syntax problem, I can't figure it out.  
        Thanks for your effort partner.
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
-What command ?
0
 

Author Comment

by:bubana
Comment Utility
housenet,

   This command:

net use \\200.1.1.20\c$ /User:Administrator (Does it ask to supply the password?)

  I changed Ip to our IP's domain name.  It flash an error "system error 67 has occurred.  The network name cannot be found"  What does it mean? Syntax error?
thanks
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
bubana thats a good sign.. It means that the netbios ports are probably blocked & your ISP is really doing as they say..
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now