Help, strange failed login attempt

J

Jimbo

Im trying to isolate a failed login attempt to my domain that occurs once or
twice every few days. Below is the text of the event log failure:


The source of this one is Security and its Event ID is 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: SERVER
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER

The source of this one is Security and its Event ID is 681
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: SERVER
failed. The error code was: 3221225578


I neither have a workstation named "SERVER" nor a domain. Is there a higher
level or debugging I can turn on in an attempt to find out more about this?
We are firewalled, etc and this box is on our internal LAN.
 
B

Bobby McMillan [MSFT]

Jimbo,

This is an attempt to access the server on which the event is logged.
Probably mapping a drive or the like. Do you have anyone RAS'ing in or
coming in over a VPN connection? the error code maps to "User logon with
misspelled or bad password"

The Key here is to see if you can find a trend and then attepmt to take a
trace based upon the trend.

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Jimbo" <[email protected]>
| Subject: Help, strange failed login attempt
| Date: Mon, 19 Jan 2004 13:53:52 -0600
|
|
| Im trying to isolate a failed login attempt to my domain that occurs once
or
| twice every few days. Below is the text of the event log failure:
|
|
| The source of this one is Security and its Event ID is 529
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name: Administrator
| Domain: SERVER
| Logon Type: 3
| Logon Process: NtLmSsp
| Authentication Package: NTLM
| Workstation Name: SERVER
|
| The source of this one is Security and its Event ID is 681
| The logon to account: Administrator
| by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| from workstation: SERVER
| failed. The error code was: 3221225578
|
|
| I neither have a workstation named "SERVER" nor a domain. Is there a
higher
| level or debugging I can turn on in an attempt to find out more about
this?
| We are firewalled, etc and this box is on our internal LAN.
|
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

event id 675, 681, 529 every 2, 2.5 minutes 2
Security Log Help 9
Password checking is running-please help 3
680 & 529 Failure Audits 1
Failure Audit Question 2
Event 529 and 681 5
change administrator password 1
537 errors due to manual services being started 0

Top