Multiple Unauthorised logon attempts

The Event Viewer on our SBS2003 server (also runs the MSexchange) has shown two instances of logging multiple 529 errors as below.

There are multiple entries logged in succession over approx ten minutes. The messages are all as below except the username entry are random (eg , null, admin, 1234, bevis, shannon,soccer,etc)

During one apparent attack I disconnected the company broadband and they stopped instantly, so it apparently looks as though this is coming from outside the network.

Can anybody advise on how we should trace and deal with this situation please?

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            30/01/2008
Time:            04:14:55
User:            NT AUTHORITY\SYSTEM
Computer:      SEMA01
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      shannon
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      Severname
       Caller User Name:      servername$
       Caller Domain:      SEMA
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2712
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

For more information, see Help and Support Center at
LVL 10
cpmcomputersManaging DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Run ping and tracert on host:
     Computer:      SEMA01

Install personal firewall with ability to always blocks ports both coming and going, such as ZoneAlarm

Consider having a packet analyzer available to review the next event. Microsoft has one decent enough to to this called NetMon.
Protocol Analyzers
Microsoft Network Monitor 3

You should consider turning off all remote access until this is locked up better, especially do not allow remote logons. In worse cases you can and should rename affected systems, and change address etc. Make sure your server is not advertising, recognize that it has become known to anonymous others and react accordingly.
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
This is one of those questions that's been asked a 100 times on EE.

Have you reviewed any of those to see if they match your problem?

Do you have any services running under a user or administrator account?

cpmcomputersManaging DirectorAuthor Commented:
Thanks to TechSoEAsy and SunBow

The Server is protected by ISA 2004.
I have downloaded netmonitor and will use it to track any further attacks

This problem has not re-occurred since we tightened up our securiy but we are changing our server ip and settings as a precaution.

We have implemented a strong passwords policy and restricted access remotely only to those few users actually needing it. We have further implemented a lockout policy after three unsucessful login attempts.

Why does the security log not actually record the originating IP of the logon attempts.
Is it Possible to have an email alert to an administrator generated for specific events?

Any advice on any other actions we could/should be taking?

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The reason it doesn't show the originating IP is because it's a Logon type "3". Which is NOT coming from the outside... Type 3 is a NETWORK logon i.e. connection to shared folder on this computer from elsewhere on network or IIS logon.  Since the username is NT AUTHORITY\SYSTEM then that would indicate it could just be something internal to that server and not even coming from another machine.

I think that your attempt to "tighten up our security" are misguided actually.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cpmcomputersManaging DirectorAuthor Commented:
Thanks to TechSoEAsy and SunBow - both offered prompt and relevant 'pointers' to my problem.
for which I am grateful  However, neither really provided the definitive answer to what was happening or definitive resolution. Either subsequent actions I carried out resolved the issue or the attacker simply gave up?  Sorry , for leaving the question open for so long and thank you once again to the guys - Despite the 'unresolved' ending to this I feel both they are worthy of the points awarded.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.