Flooded with Event ID 538 and 540 in Security under event viewer

I have sent a server to a branch office and it is now getting a FLOOD of entries under the 'Security' event source.  They are mainly Event 538 and 540 for logoff & logon, respectively.

I have included the Security events over the course of one minute.  There are 13 total in one minute!  Sorry it's so lengthy but I wanted to provide enough info.  

What could be causing this - is there potential malicious activity here? ....a hack or otherwise?
- Thanks for any insight!!
...........................................
START HERE:

AUDIT from 11/5/03

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...................

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
.....................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBD33)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCA0)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBCE5)
       Logon Type:      3
 
.............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
 
............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CB43C)
       Logon Type:      3
 
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:29 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D0CEB)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...........................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D12B6)
       Logon Type:      3
 
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:       
...............................
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            11/5/2003
Time:            5:03:47 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
User Logoff:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4D131C)
       Logon Type:      3
LVL 1
davisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DexstarCommented:
davis:

> What could be causing this - is there potential malicious activity here? ....a
> hack or otherwise?
> - Thanks for any insight!!

Here is a good explanation of what is happening:
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html

Hope that helps,
Dex*
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davisAuthor Commented:
Dexstar -

Thanks very much for the links!  A tremendous help.  As well, I can rest a bit easier now...
0
DexstarCommented:
davis:

You're quite welcome.  I'm happy to help...  :)

Dex*
0
dzeichickCommented:
I am also getting flooded and i just began today

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C7D)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
User Logoff:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            3/4/2004
Time:            3:23:03 PM
User:            DZNS\dz
Computer:      DZNS-DC1
Description:
Successful Network Logon:
       User Name:      dz
       Domain:            DZNS
       Logon ID:            (0x0,0x789C20)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Over and over

HELP
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.