Event ID 529 (did this come from the LAN)

B

Bryan Bowers

Hello,

My client received 30 of the following event ids on their
Exchange 2000 server with a few seconds of each other.
The server is properly firewalled (did a port scan) from
the internet. It appears that this attack could only have
come from the LAN and wanted to see if there is some other
possibility? The bad guy used username abc and
administrator as well.

--------

Event type: Failure audit
Event source: Security
Category: Logon/Logoff
Event ID: 529
Date: 10/17/2003
Time: 3:22:07 AM
User: NT authority\system
Computer: *******
Description:
Logon Failure:
Reason: Unknown users name or bad password
User Name: abc
Domain:
Logon Type: 3
Logon Process: advapi
Auth package:
Microsoft_Authentication_package_v1_0
Workstation name: *******
 
S

Steven L Umbach

Find out if the workstation name was something from his network. If it is,
then I would say probably yes. I am not familiar with the Logon Process:
advapi. It might be worthwhile to try to correlate the failed logon events
with the firewall logs if the times are pretty much in synch between the
two. I would also post in an Exchange specific newsgroup and search
http://google.com web AND groups for " event id 529 logon process advapi
.. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event id 529, and very strange username ! 1
event id 529 logon type 3 - lots of them 1
Event 529 and 681 5
am I being hacked or is something else going on? 4
680 & 529 Failure Audits 1
Very strange username ... 3
event id 675, 681, 529 every 2, 2.5 minutes 2
Password checking is running-please help 3

Top