Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5342
  • Last Modified:

Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

I m getting the following error evry night around 8PM on a Domain Controller running SBS 2003
The ID, Support, is a domain admin
There are sometimes 7 - 700 security errors.
From my research, it couod be application, or a "Hack Attack"
How can I identify, and resolve this problen.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/10/2008
Time:            9:08:18 AM
User:            NT AUTHORITY\SYSTEM
Computer:      Servername
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Support
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      Servername
       Caller User Name:      Servername$
       Caller Domain:      Domain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      4696
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
cookd47
Asked:
cookd47
  • 3
  • 2
1 Solution
 
Olaf De CeusterCommented:
Could be a service trying to log on with incorrect credentials. Have a look in the eventlog for any other errors.
Be a good idea to run a virus scan just in case.
Olaf
0
 
cookd47Author Commented:
Title:Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Administrator login failed 1027 times between 2000 last nigt and 0400 this morning. We normally get between 6 -12 event 529 evary night

I will reward 1000 points for a solution.
How can we trace the source of this event?
There is nothing in the SonicWall log that suggest a "Brute Force" hack attempt
0
 
anupnellipCommented:
this could also be a backup job trying to run using the support username
check all the task on the server . check if you see any task runnin at 8 . check the user name user to run the task .
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
cookd47Author Commented:
I suspect that it is the backup, but am unable to find an error in the backup log, or windows log (other than security events). The backup takes most of the night. they have an application that backs uo a database as well. Most nights we only get a few errors, but about every 8 - 10 days we get 600 - 1100 events. It is almost certainly an application/backup issue; I would like to track it down, document the cause, and present it to the client, who believes that Hackers are after his system.
0
 
anupnellipCommented:
no hacker here , what backup do they use ? can you check the user name used for backup
Is the backup running from the same server ? the evet log shows the Workstation name for the network logon , is it the backup server. you should look at that machine , if it is the same server then either it is a service or a net share that was user to earier
try typing the command
net use
if you find any device use
net use /delete
probably someune used the ceredentials to map drive on the network ?

you could also check this from the under management &; shares and  active sesssions
0
 
cookd47Author Commented:
There was a drive mapped prior to the last password change
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now