Solved

Multiple Security login failure Event ID:529

Posted on 2006-07-06
3
1,262 Views
Last Modified: 2008-01-09
Since early this morning there has been a login failure, with an unknown user id, about twice a minute. The ID's are changing, staring with amy, and working up alphabetical names. The ID tony is now being used.
I assume that an automated Hacking tools is being used.
I hate to assume that it will always fail.
Any suggestions?
Here is a sample of the event (valid domain name is substituted for actual domain.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/6/2006
Time:            8:05:06 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HOUSV02
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      tomy
       Domain:            "valid domain name"
       Logon Type:      2
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HOUSV02
0
Comment
Question by:cookd47
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
ID: 17051373
Actually, it's probably not an attempt to break in, it's an attempt to harvest all of your usernames.

If you don't own a computer named "HOUSV02" then you need to find out who does.  This seems like it's coming in on Samba or, if you're running Windows, it's trying to login as a machine.

It may be that you're runnign Internet Information Server [IIS] and he already knows the path to your admin and scripts directory and he's trying to get in there; if he succeeds, he will pretty much have all of your user information, perhaps right down to credit cards and stuff.

Which is why you don't install IIS in the default places.

I recognise the script.  Someone is trying to harvest email addresses from your server and will probably sell them on a CD to people who need email lists.

You should track him down, by IP Address and time, and build evidence against him.  It's most likely an offshore account, but run by someone in New York City in the Madison Avenue advertising district.

Get it?
0
 

Author Comment

by:cookd47
ID: 17051487
I suspect that you are right. HOUSV02 is the Exchange Server; we are using Outlook Web Access, which requires IIS. This is complicated by an outdated CISCO firewall that we do not have a password for. Attempts to access via console have been unsuccessful. A new Firewall is on site, and will be setup tomorrow. New servers are on order as well
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17055774
You should do a thorough sweep of that Exchange Server and look to see if it has equally attempted logins.  Nothing like a good DNS log to find out where it's all coming from.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question