Solved

Flooded with Event ID 538 and 540 in Security under event viewer

Posted on 2003-11-05
5
7,123 Views
Last Modified: 2013-12-04
I have sent a server to a branch office and it is now getting a FLOOD of entries under the 'Security' event source.  They are mainly Event 538 and 540 for logoff & logon, respectively.

I have included the Security events over the course of one minute.  There are 13 total in one minute!  Sorry it's so lengthy but I wanted to provide enough info.  

What could be causing this - is there potential malicious activity here? ....a hack or otherwise?
- Thanks for any insight!!
...........................................
START HERE:

AUDIT from 11/5/03

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...................

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
.....................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBD33)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
 
.............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CB43C)
       Logon Type:      3
 
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D0CEB)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
 
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
0
Comment
Question by:davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 125 total points
ID: 9690928
davis:

> What could be causing this - is there potential malicious activity here? ....a
> hack or otherwise?
> - Thanks for any insight!!

Here is a good explanation of what is happening:
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html

Hope that helps,
Dex*
0
 
LVL 1

Author Comment

by:davis
ID: 9691381
Dexstar -

Thanks very much for the links!  A tremendous help.  As well, I can rest a bit easier now...
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9694961
davis:

You're quite welcome.  I'm happy to help...  :)

Dex*
0
 

Expert Comment

by:dzeichick
ID: 10518829
I am also getting flooded and i just began today

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Over and over

HELP
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question