Johnboy722
asked on
Event 529 Logged for multiple user accounts, all from the same computer.
Today, while reviewing one of our servers security logs, I noticed that there were a substantial amount of Logon Failure events (Event 529). Upon further inspection, I found that all of the events were generated from a single computer, and there were several different usernames that were used. In all, 88 different usernames were tried, and each username was tried 252 times. Since this is a remote overseas facility, and I wont be able to have anyone check the computer until Sunday, Id like to know if this sounds like some sort of attack, possible virus activity, or just some fluke that Ive never seen before.
The server is a Windows 2003 Server, w/ SP1
The workstation is likely a Windows XP Pro w/ SP2 desktop. (Currently powered off, or otherwise unreachable)
Any help is greatly appreciated!
Here is an example of the event from the log.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2/25/2009
Time: 6:55:49 PM
User: NT AUTHORITY\SYSTEM
Computer: ServerName (Domain Controller)
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: valid_username
Domain: Our_Domain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC_In_Question
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.x.x
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The server is a Windows 2003 Server, w/ SP1
The workstation is likely a Windows XP Pro w/ SP2 desktop. (Currently powered off, or otherwise unreachable)
Any help is greatly appreciated!
Here is an example of the event from the log.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2/25/2009
Time: 6:55:49 PM
User: NT AUTHORITY\SYSTEM
Computer: ServerName (Domain Controller)
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: valid_username
Domain: Our_Domain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC_In_Question
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.x.x
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Fine so far. 1 second is short for typing a password by hand.
An external hacker would hit some valid user names, but also a lot of invalid user names. My idea is, that a member or ex-member or maybe a service person of the company, who knows the user names or at least the system, how they are generated, tried to hack into the system. As members of the company would have their own account, this person either do not want to use its own account, or this account was blocked due to leaving the company. With a bunch of know user names and maybe some common password, he seems to try out them agains all user names?
Out of the system, how the hacking attemt takes place, you should find out, who it is. I dont believe, that this attack comes from external. Nevertheless, a virus can be the issue, if the virus has access to AD information, where the user names are readable.
An external hacker would hit some valid user names, but also a lot of invalid user names. My idea is, that a member or ex-member or maybe a service person of the company, who knows the user names or at least the system, how they are generated, tried to hack into the system. As members of the company would have their own account, this person either do not want to use its own account, or this account was blocked due to leaving the company. With a bunch of know user names and maybe some common password, he seems to try out them agains all user names?
Out of the system, how the hacking attemt takes place, you should find out, who it is. I dont believe, that this attack comes from external. Nevertheless, a virus can be the issue, if the virus has access to AD information, where the user names are readable.
ASKER
I was actually leaning more toward a virus or some other bad program. We did have a problem a while back with a virus outbreak at that plant. We hadn't seen anything for a while after we were able to clean everything up, but some sort of virus would not suprise me at this point.
We should know more at the end of the weekend.
We should know more at the end of the weekend.
ASKER
I got some feedback this morning. This is what our guy there says...
"After deep search on this computer, I find out that an virus name W32/HLLP.Philis.remnants located on some HR software folder (on local disk).
Seem it be active when user try to run a script command from Microsoft Office Access file."
After he scanned and removed the virus, I haven't seen anything further from this computer.
"After deep search on this computer, I find out that an virus name W32/HLLP.Philis.remnants located on some HR software folder (on local disk).
Seem it be active when user try to run a script command from Microsoft Office Access file."
After he scanned and removed the virus, I haven't seen anything further from this computer.
ASKER
I can't see any discernable pattern as to how the usernames were chosen, but I know that they are all legitimate user accounts. The times between the events were small, like one per second, or less. I will post back once the computer has been scanned to let you know what I find.