am I being hacked or is something else going on?


Gary Massengale

event viewer is showing unsuccesful login attemps, sometimes user name is "
server ", sometimes " abc ", sometimes " data ". I have current antivirus,
and a firewall running, so I am curious as to what is causing these attempts
at 2 AM in the morning.

Below is what I keep seeing:

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 5/20/2004

Time: 2:04:10 AM




Logon Failure:

Reason: Unknown user name or bad password

User Name: server


Logon Type: 3

Logon Process: Advapi

Authentication Package:

Workstation Name: MYSERVERNAME

Steven L Umbach

Are you on a local network with other computers? Type 3 logon means someone is trying
to gain access from the network. Do you have any holes open in your firewall to offer
services to internet users such as a web server? I would suggest running Microsoft
Baseline Security Analyzer on your computer to check for vulnerabilities including
unneeded services and scan your firewall from a self scan site such as to make sure it is not misconfigured and disable file and
print sharing if you are not offering shares to other computers on a network. Be
sure to do a full virus scan with latest definitions if you have not done that
yet. --- Steve

Gary Massengale

yes, it is on the local network. I have tested our firewall and cannot
find any unnecessary ports open, and we have a coporate antivirus solution
and the scans dont show infection on any of our PCs, and I will also try
your suggestions also,thanks.

One other thing, if it is somebody on our local network trying this, how can
I track down which workstation this person is using?


Steven L Umbach

In event ID 529 the last line is the workstation that the bad logon attempt came from
but in your case it seems to be the computer that the event was logged on. I have
searched a bit and am not real sure about the " Logon Process: Advapi " as I
usually see ntlm or negotiate. Most of my search results mentioned OWA or Exchange
when Advapi was mentioned. --- Steve

Gary Massengale

we have an exchange server, and use OWA when away from the office, so
perhaps someone was trying to login to exchange remotely?

Thanks for the help. I at least have an idea what direction to go to in
researching this now.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question