[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5059
  • Last Modified:

event id 539 account lockout?

I run Windows Server 2003 SBS.  Since last Tuesday I have been receiving administrative alert emails at 2 hour intervals, almost on the dot.  Very concerning since I can't see anything in the Event Viewer at these times.  I see in the Server Manager where to enable/disable this alert.  I want it enabled, but I also want to know who is getting locked out (who is trying to log in???)  Also since it happens exactly 2 hours apart, that makes me think it is automated...what kind of process or application would try to do this?  Please help me figure this out :)

Here is the pattern of the times I receive the email.  Note that there is no activity on the weekend, but when it is active, it is in exactly 2 hour intervals:

4/19      08:28:47 PM
4/19      10:28:47 PM
4/20      12:28:49 AM
4/20      02:28:49 AM
4/20      04:28:49 AM
4/20      06:28:49 AM
4/21      01:08:53 PM
4/21      03:08:53 PM
4/21      05:08:08 PM
4/22      01:08:13 PM
4/22      03:08:13 PM
4/22      05:08:13 PM
4/25      04:48:28 PM
4/25      06:48:28 PM
4/25      08:48:28 PM
4/25      10:48:28 PM
4/26      12:48:29 PM
4/26      02:48:29 AM
4/26      04:48:29 AM
4/26      06:48:29 AM
4/26      08:48:29 AM
4/26      10:48:29 AM
4/26      12:48:29 AM
4/26      02:48:29 PM
4/26    04:48:29 PM
4/26      06:48:29 PM
4/26    08:48:29 PM
4/26    10:48:29 PM
4/27    12:48:34 AM
4/27    02:48:34 AM
4/27    04:48:34 AM
4/27    06:48:34 AM
4/27    08:48:34 AM

Here is the text of the email:

-----Original Message-----
From: Envirotech [mailto:Administrator@domain.tld]
Sent: Friday, April 22, 2005 1:08 PM
To: me (the administrator)
Subject: Account Lockout (Event ID: 539) Alert on SERVER1

Alert on SERVER1 at 4/22/2005 1:08:13 PM

An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.

For more information about this event, see the event logs on the server computer.

You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
  • 3
  • 3
1 Solution
amcorjonAuthor Commented:

Check this out - I noted the 2 hour interval pattern this morning...I would receive the alert every 2 hours at xx:48:34 am (hh:mm:ss). So I logged on to the server, opened the Task Manager's Process tab and watched the system clock tick.

At exactly 10:48:34AM I watched and took a screenshot (attached). I saw that one of the System processes popped up,  I see which process it is, but I don't know anything about it.  This process seems to keep trying to authenticate every two hours during the weekdays only. Strange.  At least we can rule out a person trying to hack in.  But what kind of process does this?  How can I find out more about what is going on?

since I can't attach a pic of the screenshot I'll try to describe it:
Image Name: System
User Name: SYSTEM
CPU: 02
Mem Usage: 8,192K

I had the Task Manager's Processes sorted by CPU; I figured if a process was trying to login, then it should jump to the top at that time, and sure enough it did.  Then I received the alert email a second later.
You *should* be able to match up these alerts to an event in the Security Event Log.

Can you copy and paste one of those here?

amcorjonAuthor Commented:
thanks, i found this:  

Logon Failure:
       Reason:            Account locked out
       User Name:      MAINTENANCE
       Domain:      ourdomain
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      \\SHOP
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      xxx.xxx.xxx.xxx
       Source Port:      0

It seems to be coming from our shop next door which only has 1 computer - and I know the guys there do not try to log in every 2 hours....so....should I go to that machine?  what should I look for that automatically tries to authenticate every 2 hours?

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

It seems this computer has some spyware or a virus on it.  This is the telltale sign of malicious activity - hitting shares using default passwords trying to spread.

Download and run the following stuff:

Adaware Personal - www.lavasoftusa.com
Spybot S&D - http://www.safer-networking.org/en/download/
CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.html

Also, do a full AV scan with the latest updates.

Let us know what you find.

amcorjonAuthor Commented:
thanks guys - i ran adaware twice and cleaned it up.  
Glad to help!
Did you run AdAware on the Server or the shop workstation? I am getting this same problem but it is happening on up to 10 different accounts.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now