Event ID: 529 Security Failure Audit
Hi
I administer a server that has recently begun to run very slowly, at times almost stopping altogether and requiring a reboot.
Several weeks ago our ISP locked us out because we were sending spam. I believe that I've dealt with that problem but the slow down persists.
The audit log was clear for several days then suddenly started to be littered with failures ID 529. I changed the Admin password to an obscure 20 random character one which seemed to help but this has begun again. For example
Logon Failure:
Reason: Unknown user name or bad password
User Name: 1
Domain: ***************
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: *****-SBS2K3
Caller User Name: *****-SBS2K3$
Caller Domain: ***************
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 10432
Transited Services: -
Source Network Address: 193.213.31.96
Source Port: 63609
I've run a netsta -ano and the result is below but I'm not sure how to interpret it.
The local address of the server is 192.168.16.1
Outside address is 62.49.88.84
My IP is 81.174.141.3
There are several IPs listed in the report that are unknown eg: 193.213.31.96:53822 showing Established. Am I correct in thinking that the Failure listed above from the same IP address port 63609 has connected successfully on port 53822?
If this is the case can someone give me some suggestion how to deal with the problem?
Thanks in advance
GHB
I administer a server that has recently begun to run very slowly, at times almost stopping altogether and requiring a reboot.
Several weeks ago our ISP locked us out because we were sending spam. I believe that I've dealt with that problem but the slow down persists.
The audit log was clear for several days then suddenly started to be littered with failures ID 529. I changed the Admin password to an obscure 20 random character one which seemed to help but this has begun again. For example
Logon Failure:
Reason: Unknown user name or bad password
User Name: 1
Domain: ***************
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: *****-SBS2K3
Caller User Name: *****-SBS2K3$
Caller Domain: ***************
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 10432
Transited Services: -
Source Network Address: 193.213.31.96
Source Port: 63609
I've run a netsta -ano and the result is below but I'm not sure how to interpret it.
The local address of the server is 192.168.16.1
Outside address is 62.49.88.84
My IP is 81.174.141.3
There are several IPs listed in the report that are unknown eg: 193.213.31.96:53822 showing Established. Am I correct in thinking that the Failure listed above from the same IP address port 63609 has connected successfully on port 53822?
If this is the case can someone give me some suggestion how to deal with the problem?
Thanks in advance
GHB
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Tolomir
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER
Sorry for the delay in closing I've been away.