We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Event ID 529 Logon type 8

mpcm
mpcm asked
on
Medium Priority
1,970 Views
Last Modified: 2012-06-22
I keep getting these Failure Audit message in Event Viewer on my Small Business Server. The 1st time I noticed it there were 70,000 logs with the same message with different user names. There are no users in the domain with these names and it makes me very suspicious of hacking.
I cleared the events on the 8th and since then have received 27,000. Anyone know whats going on?

Logon Failure:
       Reason:Unknown user name or bad password
       User Name:      Echotouch
       Domain:(Domain Name)
       Logon Type:      8
       Logon Process: IIS    
       Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name: (My Server Name)
       Caller User Name: (My Server Name)$
       Caller Domain: (Domain Name)
       Caller Logon ID:(0x0,0x3E7)
       Caller Process ID:      2416
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
Comment
Watch Question

Commented:
Just like you say it seem that someone is trying to gain access to your network.
They will always try but  you must do your homework.
Lokk if a hacker want to gain access to your network he probably will. But if it has to come to that:
MAKE IT HARD SO HE WILL GIVE UP.

Here are a few steps to  help you. most of them are gathered  from EE and other sites.
Terminal Service Security
http://www.msterminalservices.org/articles/Locking-Down-Windows-Terminal-Services.html


TO find out what ports are open/exposed do the following

Start >Run >type "cmd" {enter}
At the command line type "netstat -a" {enter}

The list displayed shows "Listening ports" and established "Who is on the other end" connections to yout computer.

WARNING
This is a list of common Trojan/Backdoor Port numbers
http://www.sans.org/resources/idfaq/oddports.php


Who is listening? Use this syntax: netstat -an |find /i "listening"
Established Connections:  Use this syntax: netstat -an |find /i "established"

***** helpful Links*****
Secure your exchange server
http://support.microsoft.com/default.aspx?kbid=324958&product=sbserv2003

Port Assignments for Commonly-Used Services
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

TCP/UDP Ports Used By Exchange 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

Shiny Port List :0)
http://hackerwhacker.com/portslist.html

http://www.incubus.co.uk/os/windows/netstat.htm
http://www.petri.co.il/quickly_find_local_open_ports.htm

*****Portscan Software*****

Scan Yourself (Free)

Scan your Ports with Port Detective: lets you scan your PC ports to see which are open, in use, or blocked. This will help you find out how vulnerable your system is to hackers, and will also let you know which ports you can use for applications such as Web servers
http://www.portdetective.com/

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.