[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1833
  • Last Modified:

Event ID 529 Logon type 8

I keep getting these Failure Audit message in Event Viewer on my Small Business Server. The 1st time I noticed it there were 70,000 logs with the same message with different user names. There are no users in the domain with these names and it makes me very suspicious of hacking.
I cleared the events on the 8th and since then have received 27,000. Anyone know whats going on?

Logon Failure:
       Reason:Unknown user name or bad password
       User Name:      Echotouch
       Domain:(Domain Name)
       Logon Type:      8
       Logon Process: IIS    
       Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name: (My Server Name)
       Caller User Name: (My Server Name)$
       Caller Domain: (Domain Name)
       Caller Logon ID:(0x0,0x3E7)
       Caller Process ID:      2416
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
mpcm
Asked:
mpcm
1 Solution
 
vico1CIOCommented:
Just like you say it seem that someone is trying to gain access to your network.
They will always try but  you must do your homework.
Lokk if a hacker want to gain access to your network he probably will. But if it has to come to that:
MAKE IT HARD SO HE WILL GIVE UP.

Here are a few steps to  help you. most of them are gathered  from EE and other sites.
Terminal Service Security
http://www.msterminalservices.org/articles/Locking-Down-Windows-Terminal-Services.html


TO find out what ports are open/exposed do the following

Start >Run >type "cmd" {enter}
At the command line type "netstat -a" {enter}

The list displayed shows "Listening ports" and established "Who is on the other end" connections to yout computer.

WARNING
This is a list of common Trojan/Backdoor Port numbers
http://www.sans.org/resources/idfaq/oddports.php


Who is listening? Use this syntax: netstat -an |find /i "listening"
Established Connections:  Use this syntax: netstat -an |find /i "established"

***** helpful Links*****
Secure your exchange server
http://support.microsoft.com/default.aspx?kbid=324958&product=sbserv2003

Port Assignments for Commonly-Used Services
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

TCP/UDP Ports Used By Exchange 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

Shiny Port List :0)
http://hackerwhacker.com/portslist.html

http://www.incubus.co.uk/os/windows/netstat.htm
http://www.petri.co.il/quickly_find_local_open_ports.htm

*****Portscan Software*****

Scan Yourself (Free)

Scan your Ports with Port Detective: lets you scan your PC ports to see which are open, in use, or blocked. This will help you find out how vulnerable your system is to hackers, and will also let you know which ports you can use for applications such as Web servers
http://www.portdetective.com/

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now