C
Catherine
Hi
We have an SBS 2003 R2 server, and the server performance report has listed
the following critical error in the security log:
Event ID 529 Total Occurences: 38,514
Logon Failure:
Reason: unknown user name or bad password
User name: (one of our staffers)
Logon Type: 3
Logon Process: NtLmSsp
Authentication package: NTLM
Workstation Name: (staffers PC)
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address (staffers IP address)
Source Port: 1460
I am not responsible for this server yet, but it will be handed over to me
in a few weeks. We have several users who use RWW, but this staffer is not
one of them. We also have a Sonic firewall, which has not shown any
intrusion alerts. I am wondering if this is a hack attempt, as this account
has been showing similar activity the last few weeks, but nothing of this
scale, or would it be a programme on the PC trying to contact the server for
updates (just guessing)? Any suggestions or pointers will be gratefully
received! BTW, I have only discovered this person NEVER powers down their PC
and sometimes has problems with their password being accepted, esp. when the
password policy cycles down to a new password changeover.
Thanks
Catherine
We have an SBS 2003 R2 server, and the server performance report has listed
the following critical error in the security log:
Event ID 529 Total Occurences: 38,514
Logon Failure:
Reason: unknown user name or bad password
User name: (one of our staffers)
Logon Type: 3
Logon Process: NtLmSsp
Authentication package: NTLM
Workstation Name: (staffers PC)
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address (staffers IP address)
Source Port: 1460
I am not responsible for this server yet, but it will be handed over to me
in a few weeks. We have several users who use RWW, but this staffer is not
one of them. We also have a Sonic firewall, which has not shown any
intrusion alerts. I am wondering if this is a hack attempt, as this account
has been showing similar activity the last few weeks, but nothing of this
scale, or would it be a programme on the PC trying to contact the server for
updates (just guessing)? Any suggestions or pointers will be gratefully
received! BTW, I have only discovered this person NEVER powers down their PC
and sometimes has problems with their password being accepted, esp. when the
password policy cycles down to a new password changeover.
Thanks
Catherine
