Multiple Security login failure Event ID:529

Since early this morning there has been a login failure, with an unknown user id, about twice a minute. The ID's are changing, staring with amy, and working up alphabetical names. The ID tony is now being used.
I assume that an automated Hacking tools is being used.
I hate to assume that it will always fail.
Any suggestions?
Here is a sample of the event (valid domain name is substituted for actual domain.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/6/2006
Time:            8:05:06 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HOUSV02
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      tomy
       Domain:            "valid domain name"
       Logon Type:      2
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HOUSV02
cookd47Asked:
Who is Participating?
 
GinEricConnect With a Mentor Commented:
Actually, it's probably not an attempt to break in, it's an attempt to harvest all of your usernames.

If you don't own a computer named "HOUSV02" then you need to find out who does.  This seems like it's coming in on Samba or, if you're running Windows, it's trying to login as a machine.

It may be that you're runnign Internet Information Server [IIS] and he already knows the path to your admin and scripts directory and he's trying to get in there; if he succeeds, he will pretty much have all of your user information, perhaps right down to credit cards and stuff.

Which is why you don't install IIS in the default places.

I recognise the script.  Someone is trying to harvest email addresses from your server and will probably sell them on a CD to people who need email lists.

You should track him down, by IP Address and time, and build evidence against him.  It's most likely an offshore account, but run by someone in New York City in the Madison Avenue advertising district.

Get it?
0
 
cookd47Author Commented:
I suspect that you are right. HOUSV02 is the Exchange Server; we are using Outlook Web Access, which requires IIS. This is complicated by an outdated CISCO firewall that we do not have a password for. Attempts to access via console have been unsuccessful. A new Firewall is on site, and will be setup tomorrow. New servers are on order as well
0
 
GinEricCommented:
You should do a thorough sweep of that Exchange Server and look to see if it has equally attempted logins.  Nothing like a good DNS log to find out where it's all coming from.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.