Solved

Flooded with Event ID 538 and 540 in Security under event viewer

Posted on 2003-11-05
5
7,082 Views
Last Modified: 2013-12-04
I have sent a server to a branch office and it is now getting a FLOOD of entries under the 'Security' event source.  They are mainly Event 538 and 540 for logoff & logon, respectively.

I have included the Security events over the course of one minute.  There are 13 total in one minute!  Sorry it's so lengthy but I wanted to provide enough info.  

What could be causing this - is there potential malicious activity here? ....a hack or otherwise?
- Thanks for any insight!!
...........................................
START HERE:

AUDIT from 11/5/03

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...................

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
.....................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBD33)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
 
.............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CB43C)
       Logon Type:      3
 
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D0CEB)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
 
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
0
Comment
Question by:davis
  • 3
5 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 125 total points
ID: 9690928
davis:

> What could be causing this - is there potential malicious activity here? ....a
> hack or otherwise?
> - Thanks for any insight!!

Here is a good explanation of what is happening:
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html

Hope that helps,
Dex*
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9690953
0
 
LVL 1

Author Comment

by:davis
ID: 9691381
Dexstar -

Thanks very much for the links!  A tremendous help.  As well, I can rest a bit easier now...
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9694961
davis:

You're quite welcome.  I'm happy to help...  :)

Dex*
0
 

Expert Comment

by:dzeichick
ID: 10518829
I am also getting flooded and i just began today

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Over and over

HELP
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now