Solved

Multiple Security login failure Event ID:529

Posted on 2006-07-06
3
1,266 Views
Last Modified: 2008-01-09
Since early this morning there has been a login failure, with an unknown user id, about twice a minute. The ID's are changing, staring with amy, and working up alphabetical names. The ID tony is now being used.
I assume that an automated Hacking tools is being used.
I hate to assume that it will always fail.
Any suggestions?
Here is a sample of the event (valid domain name is substituted for actual domain.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/6/2006
Time:            8:05:06 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HOUSV02
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      tomy
       Domain:            "valid domain name"
       Logon Type:      2
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HOUSV02
0
Comment
Question by:cookd47
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
ID: 17051373
Actually, it's probably not an attempt to break in, it's an attempt to harvest all of your usernames.

If you don't own a computer named "HOUSV02" then you need to find out who does.  This seems like it's coming in on Samba or, if you're running Windows, it's trying to login as a machine.

It may be that you're runnign Internet Information Server [IIS] and he already knows the path to your admin and scripts directory and he's trying to get in there; if he succeeds, he will pretty much have all of your user information, perhaps right down to credit cards and stuff.

Which is why you don't install IIS in the default places.

I recognise the script.  Someone is trying to harvest email addresses from your server and will probably sell them on a CD to people who need email lists.

You should track him down, by IP Address and time, and build evidence against him.  It's most likely an offshore account, but run by someone in New York City in the Madison Avenue advertising district.

Get it?
0
 

Author Comment

by:cookd47
ID: 17051487
I suspect that you are right. HOUSV02 is the Exchange Server; we are using Outlook Web Access, which requires IIS. This is complicated by an outdated CISCO firewall that we do not have a password for. Attempts to access via console have been unsuccessful. A new Firewall is on site, and will be setup tomorrow. New servers are on order as well
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17055774
You should do a thorough sweep of that Exchange Server and look to see if it has equally attempted logins.  Nothing like a good DNS log to find out where it's all coming from.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question