Solved

Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Posted on 2008-10-11
7
5,272 Views
Last Modified: 2013-11-08
I m getting the following error evry night around 8PM on a Domain Controller running SBS 2003
The ID, Support, is a domain admin
There are sometimes 7 - 700 security errors.
From my research, it couod be application, or a "Hack Attack"
How can I identify, and resolve this problen.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/10/2008
Time:            9:08:18 AM
User:            NT AUTHORITY\SYSTEM
Computer:      Servername
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Support
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      Servername
       Caller User Name:      Servername$
       Caller Domain:      Domain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      4696
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
Comment
Question by:cookd47
  • 3
  • 2
7 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 22695958
Could be a service trying to log on with incorrect credentials. Have a look in the eventlog for any other errors.
Be a good idea to run a virus scan just in case.
Olaf
0
 

Author Comment

by:cookd47
ID: 22785138
Title:Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Administrator login failed 1027 times between 2000 last nigt and 0400 this morning. We normally get between 6 -12 event 529 evary night

I will reward 1000 points for a solution.
How can we trace the source of this event?
There is nothing in the SonicWall log that suggest a "Brute Force" hack attempt
0
 
LVL 10

Expert Comment

by:anupnellip
ID: 22788626
this could also be a backup job trying to run using the support username
check all the task on the server . check if you see any task runnin at 8 . check the user name user to run the task .
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:cookd47
ID: 22789247
I suspect that it is the backup, but am unable to find an error in the backup log, or windows log (other than security events). The backup takes most of the night. they have an application that backs uo a database as well. Most nights we only get a few errors, but about every 8 - 10 days we get 600 - 1100 events. It is almost certainly an application/backup issue; I would like to track it down, document the cause, and present it to the client, who believes that Hackers are after his system.
0
 
LVL 10

Accepted Solution

by:
anupnellip earned 500 total points
ID: 22790724
no hacker here , what backup do they use ? can you check the user name used for backup
Is the backup running from the same server ? the evet log shows the Workstation name for the network logon , is it the backup server. you should look at that machine , if it is the same server then either it is a service or a net share that was user to earier
try typing the command
net use
if you find any device use
net use /delete
probably someune used the ceredentials to map drive on the network ?

you could also check this from the under management &; shares and  active sesssions
0
 

Author Closing Comment

by:cookd47
ID: 31505295
There was a drive mapped prior to the last password change
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question