am I being hacked or is something else going on?

G

Gary Massengale

event viewer is showing unsuccesful login attemps, sometimes user name is "
server ", sometimes " abc ", sometimes " data ". I have current antivirus,
and a firewall running, so I am curious as to what is causing these attempts
at 2 AM in the morning.

Below is what I keep seeing:


Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 5/20/2004

Time: 2:04:10 AM

User: NT AUTHORITY\SYSTEM

Computer: MYSERVERNAME

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: server

Domain:

Logon Type: 3

Logon Process: Advapi

Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: MYSERVERNAME
 
S

Steven L Umbach

Are you on a local network with other computers? Type 3 logon means someone is trying
to gain access from the network. Do you have any holes open in your firewall to offer
services to internet users such as a web server? I would suggest running Microsoft
Baseline Security Analyzer on your computer to check for vulnerabilities including
unneeded services and scan your firewall from a self scan site such as
http://scan.sygatetech.com/ to make sure it is not misconfigured and disable file and
print sharing if you are not offering shares to other computers on a network. Be
sure to do a full virus scan with latest definitions if you have not done that
yet. --- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx
http://www.microsoft.com/security/protect/
 
G

Gary Massengale

yes, it is on the local network. I have tested our firewall and cannot
find any unnecessary ports open, and we have a coporate antivirus solution
and the scans dont show infection on any of our PCs, and I will also try
your suggestions also,thanks.

One other thing, if it is somebody on our local network trying this, how can
I track down which workstation this person is using?

gary
 
S

Steven L Umbach

In event ID 529 the last line is the workstation that the bad logon attempt came from
but in your case it seems to be the computer that the event was logged on. I have
searched a bit and am not real sure about the " Logon Process: Advapi " as I
usually see ntlm or negotiate. Most of my search results mentioned OWA or Exchange
when Advapi was mentioned. --- Steve
 
G

Gary Massengale

we have an exchange server, and use OWA when away from the office, so
perhaps someone was trying to login to exchange remotely?

Thanks for the help. I at least have an idea what direction to go to in
researching this now.

gary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

event id 529 logon type 3 - lots of them 1
Very strange username ... 3
Event id 529, and very strange username ! 1
537 errors due to manual services being started 0
Password checking is running-please help 3
Event ID 529 (did this come from the LAN) 1
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Event 529 and 681 5

Top