Solved

Event ID: 529 Security Failure Audit

Posted on 2011-09-06
4
611 Views
Last Modified: 2012-05-12
Hi

I administer a server that has recently begun to run very slowly, at times almost stopping altogether and requiring a reboot.

Several weeks ago our ISP locked us out because we were sending spam. I believe that I've dealt with that problem but the slow down persists.

The audit log was clear for several days then suddenly started to be littered with failures ID 529. I changed the Admin password to an obscure 20 random character one which seemed to help but this has begun again. For example

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      1
       Domain:            ***************
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      *****-SBS2K3
       Caller User Name:      *****-SBS2K3$
       Caller Domain:      ***************
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      10432
       Transited Services:      -
       Source Network Address:      193.213.31.96
       Source Port:      63609

I've run a netsta -ano and the result is below but I'm not sure how to interpret it.

 netstat -ano result
The local address of the server is 192.168.16.1
Outside address is 62.49.88.84
My IP is 81.174.141.3

There are several IPs listed in the report that are unknown eg: 193.213.31.96:53822 showing Established. Am I correct in thinking that the Failure listed above from the same IP address port 63609 has connected successfully on port 53822?

If this is the case can someone give me some suggestion how to deal with the problem?

Thanks in advance

GHB
0
Comment
Question by:Gordon710
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 13

Accepted Solution

by:
connectex earned 500 total points
ID: 36493054
It looks like someone is attempting logons via port (3389 RDP). I'd recommend you disable forwarding port 3389 or restrict it to known IP addresses, if possible. If you must have RDP access I recommend you use a VPN then use RDP or consider another method of connecting to the server. It's not uncommon to see this when RDP is internet accessible.

-Matt-
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 36902192
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 

Author Comment

by:Gordon710
ID: 36717416
Sorry for the delay in closing I've been away.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question