Solved

Thousands of Event ID 529: Am I being hacked?

Posted on 2006-11-13
10
1,272 Views
Last Modified: 2012-08-13
I came in this morning and it was reported to me that I had over two thousand security entries in the event log with ID 529, as follows -

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            13/11/2006
Time:            12:24:40
User:            NT AUTHORITY\SYSTEM
Computer:      BENCOMMS
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      BENCOMMS$
       Domain:            BENTENLOCAL
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      BENCOMMS
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

BENCOMMS is my SBS server name and is running ISA and connected to the Internet via a router.  
They appear to start at 13:06 last Friday and are still coming in now.
I have checked my Router logs and ISA logs but cannot find anything suspicious, but admittedly I do not really know what I am looking for, I cannot seem to match anything up with the event times.

I started using netstat but got confused, I assume that some of the external ip addresses listed are websites that people are currently using.

Any help would be greatly appreciated.

Note: apologies for such low point value but I cannot work out how to convert my expert points - if you can help here then I will increase value - thanks.
0
Comment
Question by:fuzzyfreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17932486
BENCOMMS$ is the machine account for your DC, correct?  If so this may not be a hacking attempt at all it just may be a problem with the computer account.  Execute the following from the command-line and report any errors:

DCDIAG /s:<Your Server> /test:MachineAccount
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17932668
Since you never responded to my post here:  http:Q_22038314.html can you at least confirm that you've made those changes?  Because otherwise it's difficult to determine what's causing this.

Jeff
TechSoEasy
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 17938184
Hi CharliePete00,

I ran the DCDIAG command and the test passed successfully.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17939154
FYI, you aren't able to become an "expert" until you reach 10,000 points.  So, you can't use the points earned until you reach that target.

Jeff
TechSoEasy
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 17965621
This is still happeneing and I have discovered that it happens right before a process starts, that is to say, it happens at the same time stamp that a process starts successfully, so though it is not debilitating to the server, it is an annoyance and presumably so many events is going to affect system performance.

Points upgraded to 500.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17967328
Ahhh... that makes sense now... your Machine Account password has gotten corrupt somehow.  Follow the steps in this KB article to repair it:
http://support.microsoft.com/kb/325850

Jeff
TechSoEasy
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 17990158
Hi Jeff, I ran through this article but do not understand step 2.  I only have one DC, the SBS server with the problem, so if I set the Kerberos Key Distribution Center service to manual and restart the server, where will it get its Kerberos ticket?
It then goes on to say "If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems."

So, do I set this service to manual or ignore step 2?
With this in mind, what would be the syntax of my command?

Thanks
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 17990829
Just skip those steps.  Your syntax should be something like this:

netdom resetpwd /s:BENCOMMS /ud:BENTENLOCAL\administrator /pd:*

Then, just reboot and you should be fine.

Jeff
TechSoEasy
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 18006412
Thanks very much Jeff.  I've done that and am now monitoring.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 18019669
Thanks Jeff, that worked a treat.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question