Tryingto trace an unauthorized login

  • Thread starter Thread starter mrecomm101
  • Start date Start date
M

mrecomm101

I'm getting an Event ID of 529
The USER is listed as NT AUTHORITY/SYSTEM

Logon Failure:
Reason: Unknown user name or bad password
User Name: anna
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: JM-APPSERVER
Caller User Name: JM-APPSERVER$
Caller Domain: JACKSMAGIC
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5128
Transited Services: -
Source Network Address: -
Source Port: -

I'm trying to see where this logon is coming from. I have nothing on the
firewall logs to indicate a remote access and the building was locked and
alarmed.

Any thoughts or suggestions?
 
It's a failed logon, which is generally less of a concern. Which process
on the server has PID 5128?

--
Svyatoslav Pidgorny, MCSE, RHCE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

mrecomm101 wrote:
> I'm getting an Event ID of 529
> The USER is listed as NT AUTHORITY/SYSTEM
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: anna
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: JM-APPSERVER
> Caller User Name: JM-APPSERVER$
> Caller Domain: JACKSMAGIC
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 5128
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> I'm trying to see where this logon is coming from. I have nothing on the
> firewall logs to indicate a remote access and the building was locked and
> alarmed.
>
> Any thoughts or suggestions?
 
mrecomm101 wrote:
> I'm getting an Event ID of 529
> The USER is listed as NT AUTHORITY/SYSTEM
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: anna
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: JM-APPSERVER
> Caller User Name: JM-APPSERVER$
> Caller Domain: JACKSMAGIC
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 5128
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> I'm trying to see where this logon is coming from. I have nothing on the
> firewall logs to indicate a remote access and the building was locked and
> alarmed.
>
> Any thoughts or suggestions?

I'm certainly _not_ a security expert but your report seems to be missing
some useful information -- such as day and time. Is there a possibility
that cleaners or service personnel would be in the building with physical
access to a computer despite "locked and alarmed"? I know of one case, a
long time ago and on a straight-up UNIX system where a night cleaner
brought her child with her on some nights and... Well, you know how kids are.

John McGaw
http://johnmcgaw.com
 
I have the same problem on SBS 2003. There are about 10000 events like
Event ID 529
Last Occurrence 11/4/2008 5:46 AM
Total Occurrences 13,687
Logon Failure:
Reason: Unknown user name or bad password
User Name: mike
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DC0
Caller User Name: DC0$
Caller Domain: RU
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2052
Transited Services: -
Source Network Address: -
Source Port: -

Process ID: 2052 - inetinfo.exe


--
Vitaly
------------------------------------------------------------------------
Vitaly's Profile: http://forums.techarena.in/members/vitaly.htm
View this thread: http://forums.techarena.in/microsoft-security/1057023.htm

http://forums.techarena.in
 

Similar threads

AWS
A closer look at Qakbot’s latest building blocks (and how to knock them down)
Replies
1
Views
291
Tony D
Tony D
B
SAMBA attempting to login as guest or anonymous to Windows IPC$ share
Replies
0
Views
190
BeaconMRat
B
M
How To Stop Failed Log On
Replies
4
Views
2K
MpsLand
M
T
Logon Failure
Replies
0
Views
337
Talinc
T
M
Tryingto trace an unauthorized login
Replies
2
Views
165
John McGaw
J
Back
Top