Security Event 529

[Jack Sienkiewicz]

Recently I have noticed an abnormal increase in the number
of event 529 in the security log. The usernames that are
being tried are names from our domain, however the domain
and workstation names the requests are orginating from are
not from our actual domain. The names change as well. One
day it is w2ksrv and the next it's morpheus for example.
(where there are **** I took out the acutal information
which is correct) I was wondering if anyone has an idea as
to why these are more frequent and if there is any way to
trace and find out where they are coming from (like an IP
or any other information) Below is the information from
the event. Thanks.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/22/2003
Time: 9:28:04 AM
User: NT AUTHORITY\SYSTEM
Computer: ******
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: *******
Domain: ZOLID-KC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ZOLID-KC

 

[Steven L Umbach]

I would check your firewall confiuration as this indicates that someone may
have enumerated your user information via ports 139/445 and is trying to
gain access from an untrusted network. To find the ip address, you would
need to correlate information in the firewall log to the failed logons
making sure that the times of the devices are in synch. You can go to one of
the free online self scanning sites such as http://scan.sygatetech.com/ to
check for basic vulnerability. -- Steve