Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

On a Windows XP PC seeing Security Event 529 logon failures along with cooresponding "122 KRB Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" Wireshark packets

Posted on 2011-09-30
1
Medium Priority
?
913 Views
Last Modified: 2012-05-12
Seeing spurts of Event ID 529 logon failures on a workstation at a remote office. An example of one of the events is included below. We will see the better part of several hundred per day and the time ranges vary when they appear. The username on a large number of these events show "administrator" or "admin" and other times show random user names. This has all the appearances of a dictionary attack and we originally found this via an audit of our Domain Controller security logs. The computer name listed on the event ID's always indicate the local computer name.

We have run various anti-virus and anti-spyware applications on the workstation but all have come up clean.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            9/30/2011
Time:            8:44:43 AM
User:            NT AUTHORITY\SYSTEM
Computer:      "WORKSTATION NAME"
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      david
       Domain:            "DOMAIN NAME"
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      "WORKSTATION NAME"

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Installed Wireshark and have matched up activity from the captured packet dumps to the event ID failures
0
Comment
Question by:haloexpertsexchange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 10

Accepted Solution

by:
yasserd earned 2000 total points
ID: 36898766
The login attemps are from a remote machine. That's what logon "type 10" means. The workstation name could mean the workstaion where the event occured. So, you need to investigate.

http://www.windowsecurity.com/articles/Logon-Types.html

http://technet.microsoft.com/en-us/library/cc765981(WS.10).aspx
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question