fuzzyfreak
asked on
Thousands of Event ID 529: Am I being hacked?
I came in this morning and it was reported to me that I had over two thousand security entries in the event log with ID 529, as follows -
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 13/11/2006
Time: 12:24:40
User: NT AUTHORITY\SYSTEM
Computer: BENCOMMS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: BENCOMMS$
Domain: BENTENLOCAL
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BENCOMMS
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
BENCOMMS is my SBS server name and is running ISA and connected to the Internet via a router.
They appear to start at 13:06 last Friday and are still coming in now.
I have checked my Router logs and ISA logs but cannot find anything suspicious, but admittedly I do not really know what I am looking for, I cannot seem to match anything up with the event times.
I started using netstat but got confused, I assume that some of the external ip addresses listed are websites that people are currently using.
Any help would be greatly appreciated.
Note: apologies for such low point value but I cannot work out how to convert my expert points - if you can help here then I will increase value - thanks.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 13/11/2006
Time: 12:24:40
User: NT AUTHORITY\SYSTEM
Computer: BENCOMMS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: BENCOMMS$
Domain: BENTENLOCAL
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BENCOMMS
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
BENCOMMS is my SBS server name and is running ISA and connected to the Internet via a router.
They appear to start at 13:06 last Friday and are still coming in now.
I have checked my Router logs and ISA logs but cannot find anything suspicious, but admittedly I do not really know what I am looking for, I cannot seem to match anything up with the event times.
I started using netstat but got confused, I assume that some of the external ip addresses listed are websites that people are currently using.
Any help would be greatly appreciated.
Note: apologies for such low point value but I cannot work out how to convert my expert points - if you can help here then I will increase value - thanks.
Since you never responded to my post here: http:Q_22038314.html can you at least confirm that you've made those changes? Because otherwise it's difficult to determine what's causing this.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Hi CharliePete00,
I ran the DCDIAG command and the test passed successfully.
I ran the DCDIAG command and the test passed successfully.
FYI, you aren't able to become an "expert" until you reach 10,000 points. So, you can't use the points earned until you reach that target.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
This is still happeneing and I have discovered that it happens right before a process starts, that is to say, it happens at the same time stamp that a process starts successfully, so though it is not debilitating to the server, it is an annoyance and presumably so many events is going to affect system performance.
Points upgraded to 500.
Points upgraded to 500.
Ahhh... that makes sense now... your Machine Account password has gotten corrupt somehow. Follow the steps in this KB article to repair it:
http://support.microsoft.com/kb/325850
Jeff
TechSoEasy
http://support.microsoft.com/kb/325850
Jeff
TechSoEasy
ASKER
Hi Jeff, I ran through this article but do not understand step 2. I only have one DC, the SBS server with the problem, so if I set the Kerberos Key Distribution Center service to manual and restart the server, where will it get its Kerberos ticket?
It then goes on to say "If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems."
So, do I set this service to manual or ignore step 2?
With this in mind, what would be the syntax of my command?
Thanks
It then goes on to say "If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems."
So, do I set this service to manual or ignore step 2?
With this in mind, what would be the syntax of my command?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much Jeff. I've done that and am now monitoring.
ASKER
Thanks Jeff, that worked a treat.
DCDIAG /s:<Your Server> /test:MachineAccount