Solved

Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Posted on 2008-10-11
7
5,315 Views
Last Modified: 2013-11-08
I m getting the following error evry night around 8PM on a Domain Controller running SBS 2003
The ID, Support, is a domain admin
There are sometimes 7 - 700 security errors.
From my research, it couod be application, or a "Hack Attack"
How can I identify, and resolve this problen.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/10/2008
Time:            9:08:18 AM
User:            NT AUTHORITY\SYSTEM
Computer:      Servername
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Support
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      Servername
       Caller User Name:      Servername$
       Caller Domain:      Domain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      4696
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
Comment
Question by:cookd47
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 22695958
Could be a service trying to log on with incorrect credentials. Have a look in the eventlog for any other errors.
Be a good idea to run a virus scan just in case.
Olaf
0
 

Author Comment

by:cookd47
ID: 22785138
Title:Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Administrator login failed 1027 times between 2000 last nigt and 0400 this morning. We normally get between 6 -12 event 529 evary night

I will reward 1000 points for a solution.
How can we trace the source of this event?
There is nothing in the SonicWall log that suggest a "Brute Force" hack attempt
0
 
LVL 10

Expert Comment

by:anupnellip
ID: 22788626
this could also be a backup job trying to run using the support username
check all the task on the server . check if you see any task runnin at 8 . check the user name user to run the task .
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:cookd47
ID: 22789247
I suspect that it is the backup, but am unable to find an error in the backup log, or windows log (other than security events). The backup takes most of the night. they have an application that backs uo a database as well. Most nights we only get a few errors, but about every 8 - 10 days we get 600 - 1100 events. It is almost certainly an application/backup issue; I would like to track it down, document the cause, and present it to the client, who believes that Hackers are after his system.
0
 
LVL 10

Accepted Solution

by:
anupnellip earned 500 total points
ID: 22790724
no hacker here , what backup do they use ? can you check the user name used for backup
Is the backup running from the same server ? the evet log shows the Workstation name for the network logon , is it the backup server. you should look at that machine , if it is the same server then either it is a service or a net share that was user to earier
try typing the command
net use
if you find any device use
net use /delete
probably someune used the ceredentials to map drive on the network ?

you could also check this from the under management &; shares and  active sesssions
0
 

Author Closing Comment

by:cookd47
ID: 31505295
There was a drive mapped prior to the last password change
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question