Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Multiple Security login failure Event ID:529

Posted on 2006-07-06
3
Medium Priority
?
1,269 Views
Last Modified: 2008-01-09
Since early this morning there has been a login failure, with an unknown user id, about twice a minute. The ID's are changing, staring with amy, and working up alphabetical names. The ID tony is now being used.
I assume that an automated Hacking tools is being used.
I hate to assume that it will always fail.
Any suggestions?
Here is a sample of the event (valid domain name is substituted for actual domain.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/6/2006
Time:            8:05:06 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HOUSV02
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      tomy
       Domain:            "valid domain name"
       Logon Type:      2
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HOUSV02
0
Comment
Question by:cookd47
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
GinEric earned 1500 total points
ID: 17051373
Actually, it's probably not an attempt to break in, it's an attempt to harvest all of your usernames.

If you don't own a computer named "HOUSV02" then you need to find out who does.  This seems like it's coming in on Samba or, if you're running Windows, it's trying to login as a machine.

It may be that you're runnign Internet Information Server [IIS] and he already knows the path to your admin and scripts directory and he's trying to get in there; if he succeeds, he will pretty much have all of your user information, perhaps right down to credit cards and stuff.

Which is why you don't install IIS in the default places.

I recognise the script.  Someone is trying to harvest email addresses from your server and will probably sell them on a CD to people who need email lists.

You should track him down, by IP Address and time, and build evidence against him.  It's most likely an offshore account, but run by someone in New York City in the Madison Avenue advertising district.

Get it?
0
 

Author Comment

by:cookd47
ID: 17051487
I suspect that you are right. HOUSV02 is the Exchange Server; we are using Outlook Web Access, which requires IIS. This is complicated by an outdated CISCO firewall that we do not have a password for. Attempts to access via console have been unsuccessful. A new Firewall is on site, and will be setup tomorrow. New servers are on order as well
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17055774
You should do a thorough sweep of that Exchange Server and look to see if it has equally attempted logins.  Nothing like a good DNS log to find out where it's all coming from.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question