Solved

Flooded with Event ID 538 and 540 in Security under event viewer

Posted on 2003-11-05
5
7,101 Views
Last Modified: 2013-12-04
I have sent a server to a branch office and it is now getting a FLOOD of entries under the 'Security' event source.  They are mainly Event 538 and 540 for logoff & logon, respectively.

I have included the Security events over the course of one minute.  There are 13 total in one minute!  Sorry it's so lengthy but I wanted to provide enough info.  

What could be causing this - is there potential malicious activity here? ....a hack or otherwise?
- Thanks for any insight!!
...........................................
START HERE:

AUDIT from 11/5/03

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...................

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
.....................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBD33)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
 
.............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CB43C)
       Logon Type:      3
 
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D0CEB)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
 
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
0
Comment
Question by:davis
  • 3
5 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 125 total points
ID: 9690928
davis:

> What could be causing this - is there potential malicious activity here? ....a
> hack or otherwise?
> - Thanks for any insight!!

Here is a good explanation of what is happening:
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html

Hope that helps,
Dex*
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9690953
0
 
LVL 1

Author Comment

by:davis
ID: 9691381
Dexstar -

Thanks very much for the links!  A tremendous help.  As well, I can rest a bit easier now...
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9694961
davis:

You're quite welcome.  I'm happy to help...  :)

Dex*
0
 

Expert Comment

by:dzeichick
ID: 10518829
I am also getting flooded and i just began today

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Over and over

HELP
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question