Solved

Multiple Security login failure Event ID:529

Posted on 2006-07-06
3
1,260 Views
Last Modified: 2008-01-09
Since early this morning there has been a login failure, with an unknown user id, about twice a minute. The ID's are changing, staring with amy, and working up alphabetical names. The ID tony is now being used.
I assume that an automated Hacking tools is being used.
I hate to assume that it will always fail.
Any suggestions?
Here is a sample of the event (valid domain name is substituted for actual domain.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/6/2006
Time:            8:05:06 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HOUSV02
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      tomy
       Domain:            "valid domain name"
       Logon Type:      2
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HOUSV02
0
Comment
Question by:cookd47
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
ID: 17051373
Actually, it's probably not an attempt to break in, it's an attempt to harvest all of your usernames.

If you don't own a computer named "HOUSV02" then you need to find out who does.  This seems like it's coming in on Samba or, if you're running Windows, it's trying to login as a machine.

It may be that you're runnign Internet Information Server [IIS] and he already knows the path to your admin and scripts directory and he's trying to get in there; if he succeeds, he will pretty much have all of your user information, perhaps right down to credit cards and stuff.

Which is why you don't install IIS in the default places.

I recognise the script.  Someone is trying to harvest email addresses from your server and will probably sell them on a CD to people who need email lists.

You should track him down, by IP Address and time, and build evidence against him.  It's most likely an offshore account, but run by someone in New York City in the Madison Avenue advertising district.

Get it?
0
 

Author Comment

by:cookd47
ID: 17051487
I suspect that you are right. HOUSV02 is the Exchange Server; we are using Outlook Web Access, which requires IIS. This is complicated by an outdated CISCO firewall that we do not have a password for. Attempts to access via console have been unsuccessful. A new Firewall is on site, and will be setup tomorrow. New servers are on order as well
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17055774
You should do a thorough sweep of that Exchange Server and look to see if it has equally attempted logins.  Nothing like a good DNS log to find out where it's all coming from.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now