Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Event 529 Logged for multiple user accounts, all from the same computer.

Avatar of Johnboy722
Johnboy722 asked on
Windows Server 2003Network Security
5 Comments1 Solution724 ViewsLast Modified:
Today, while reviewing one of our servers security logs, I noticed that there were a substantial amount of Logon Failure events (Event 529).  Upon further inspection, I found that all of the events were generated from a single computer, and there were several different usernames that were used.  In all, 88 different usernames were tried, and each username was tried 252 times.  Since this is a remote overseas facility, and I wont be able to have anyone check the computer until Sunday, Id like to know if this sounds like some sort of attack, possible virus activity, or just some fluke that Ive never seen before.  

The server is a Windows 2003 Server, w/ SP1
The workstation is likely a Windows XP Pro w/ SP2 desktop. (Currently powered off, or otherwise unreachable)

Any help is greatly appreciated!

Here is an example of the event from the log.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            2/25/2009
Time:            6:55:49 PM
User:            NT AUTHORITY\SYSTEM
Computer:      ServerName (Domain Controller)
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:            valid_username
       Domain:            Our_Domain
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      PC_In_Question
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.x.x
       Source Port:      0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Avatar of Bembi
BembiFlag of Germany imageCEO

Our community of experts have been thoroughly vetted for their expertise and industry experience.

This problem has been solved!
Unlock 1 Answer and 5 Comments.
See Answers