Help, strange failed login attempt

  • Thread starter Thread starter Jimbo
  • Start date Start date
J

Jimbo

Im trying to isolate a failed login attempt to my domain that occurs once or
twice every few days. Below is the text of the event log failure:


The source of this one is Security and its Event ID is 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: SERVER
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER

The source of this one is Security and its Event ID is 681
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: SERVER
failed. The error code was: 3221225578


I neither have a workstation named "SERVER" nor a domain. Is there a higher
level or debugging I can turn on in an attempt to find out more about this?
We are firewalled, etc and this box is on our internal LAN.
 
Jimbo,

This is an attempt to access the server on which the event is logged.
Probably mapping a drive or the like. Do you have anyone RAS'ing in or
coming in over a VPN connection? the error code maps to "User logon with
misspelled or bad password"

The Key here is to see if you can find a trend and then attepmt to take a
trace based upon the trend.

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Jimbo" <[email protected]>
| Subject: Help, strange failed login attempt
| Date: Mon, 19 Jan 2004 13:53:52 -0600
|
|
| Im trying to isolate a failed login attempt to my domain that occurs once
or
| twice every few days. Below is the text of the event log failure:
|
|
| The source of this one is Security and its Event ID is 529
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name: Administrator
| Domain: SERVER
| Logon Type: 3
| Logon Process: NtLmSsp
| Authentication Package: NTLM
| Workstation Name: SERVER
|
| The source of this one is Security and its Event ID is 681
| The logon to account: Administrator
| by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| from workstation: SERVER
| failed. The error code was: 3221225578
|
|
| I neither have a workstation named "SERVER" nor a domain. Is there a
higher
| level or debugging I can turn on in an attempt to find out more about
this?
| We are firewalled, etc and this box is on our internal LAN.
|
|
|
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

event id 675, 681, 529 every 2, 2.5 minutes 2
Password checking is running-please help 3
Security Log Help 9
Failure Audit Question 2
680 & 529 Failure Audits 1
Event 529 and 681 5
Failure Audits in Event log question 1
537 errors due to manual services being started 0

Back
Top