?
Solved

Flooded with Event ID 538 and 540 in Security under event viewer

Posted on 2003-11-05
5
Medium Priority
?
7,131 Views
Last Modified: 2013-12-04
I have sent a server to a branch office and it is now getting a FLOOD of entries under the 'Security' event source.  They are mainly Event 538 and 540 for logoff & logon, respectively.

I have included the Security events over the course of one minute.  There are 13 total in one minute!  Sorry it's so lengthy but I wanted to provide enough info.  

What could be causing this - is there potential malicious activity here? ....a hack or otherwise?
- Thanks for any insight!!
...........................................
START HERE:

AUDIT from 11/5/03

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...................

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
.....................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBD33)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
 
.............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CB43C)
       Logon Type:      3
 
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D0CEB)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
 
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
0
Comment
Question by:davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 500 total points
ID: 9690928
davis:

> What could be causing this - is there potential malicious activity here? ....a
> hack or otherwise?
> - Thanks for any insight!!

Here is a good explanation of what is happening:
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html

Hope that helps,
Dex*
0
 
LVL 1

Author Comment

by:davis
ID: 9691381
Dexstar -

Thanks very much for the links!  A tremendous help.  As well, I can rest a bit easier now...
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9694961
davis:

You're quite welcome.  I'm happy to help...  :)

Dex*
0
 

Expert Comment

by:dzeichick
ID: 10518829
I am also getting flooded and i just began today

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Over and over

HELP
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
OfficeMate Freezes on login or does not load after login credentials are input.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month9 days, 10 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question