Event 529 and 681

Rick · Mar 12, 2005

I have been getting a large amount of events 529 and 681 every three days or
so.
I get about 280 of these event in about a 5 minute span. Then nothing or 3
days or so and then again.

The server is ISA with N2H2 on it. The ISA is in Cache mode only it is only
used for web filtering and is behind the firewall. It also have Exchange
2000 SP3 on this server. It had been going fine for about a year and then
this started. The system functions fine I was just wondering about this.

Any ideas would be most appreciated!!!

Thanks in advance,

Rick

Here are the events in case you need that.

Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (2): Logon/Logoff Event ID: 529
User: S-1-5-18
Description:
Logon Failure:

Reason: Unknown user name or bad password

User Name: 33333333

Domain: Logon Type: 3

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name

server name removed)

Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (9): Account Logon Event ID: 681
User: S-1-5-18
Description:
The logon to account: 33333333

by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

from workstation: (server name removed)

failed. The error code was: 3221225572

Austin M. Horst · Mar 13, 2005

Roger Abell · Mar 13, 2005

Where are these shown as coming from ?
Are these for "dumb" account names that often do not exist?
or are they using the list of actual accounts ?

Rick · Mar 13, 2005

The accounts never exists in these groupings. I get about 280 with in 5
minutes.

Roger Abell · Mar 14, 2005

The events name the machine from which the login attempts
originate. There are tools out there that will hammer on a
system for as long as they are programmed to do, trying to
find username / password combinations that work.
All you have to do is have some exposed authentication
door, like a restricted access website, file shares, etc..
If the machine named is an internal machine, then go to it
and look for infection/malware.

Rick · Mar 14, 2005

That may be helpful I will look into that.

Thanks!!

event id 675, 681, 529 every 2, 2.5 minutes	2	Dec 2, 2003
Event ID 681 and 529	3	Jan 12, 2006
Security Event ID 529 & 681 / source= outside domains	1	Apr 22, 2004
680 & 529 Failure Audits	1	Sep 10, 2004
event id 529 logon type 3 - lots of them	1	Apr 26, 2005
Event id 529, and very strange username !	1	Jan 12, 2004
Event ID 681	3	Mar 9, 2005
Security log in Event Viewer shows Failure Audits from other pcs????	6	Apr 30, 2008

Event 529 and 681

Rick

Austin M. Horst

Roger Abell

Rick

Roger Abell

Rick

Ask a Question

Similar Threads