I came in this morning and it was reported to me that I had over two thousand security entries in the event log with ID 529, as follows -
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Reason: Unknown user name or bad password
User Name: BENCOMMS$
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BENCOMMS
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
BENCOMMS is my SBS server name and is running ISA and connected to the Internet via a router.
They appear to start at 13:06 last Friday and are still coming in now.
I have checked my Router logs and ISA logs but cannot find anything suspicious, but admittedly I do not really know what I am looking for, I cannot seem to match anything up with the event times.
I started using netstat but got confused, I assume that some of the external ip addresses listed are websites that people are currently using.
Any help would be greatly appreciated.
Note: apologies for such low point value but I cannot work out how to convert my expert points - if you can help here then I will increase value - thanks.