unknown failure audits with logon process advapi

[Guest]

I get many of the following failure audits in the security logs:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/6/2005
Time: 8:04:53 AM
User: NT AUTHORITY\SYSTEM
Computer: DELL_SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User
Name: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Domain: DELL_SERVER
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DELL_SERVER

I am not sure if this is a virus?

Thanks for any reply.

 

[Steven Umbach]

I tend to doubt it is virus/trojan related as usually they will target the
administrator account. It is what the operating system considers a console logon
or logon that would use the user right logon locally. Is this server running IIS
or Exchange? Is the username the same all the time? That is a very strange name
to attempt a logon and makes me wonder what the motive is. I have seen users
reporting the same logon failure on computers running IIS. Note that by default
Windows 2000 installs and enables WWW service which you would want to disable if
you are not offering a website on that computer. If you have not done such yet
it would be a good idea to run the Microsoft Baseline Security Analyzer on your
computer and if running IIS to consider applying the IIS Lockdown/URLscan tool
after backing up the computer and IIS configuration. --- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/technet/security/tools/locktool.mspx

 

[Guest]

Based on the event entry, it looks like you have a program/process running
under the network service account (or local system) and is attempting to
logon using the advapi.dll LogonUser call.

I know it's been a while since you posted this, but hopefully you resolved
it. Just in case, I thought I'd point this out. I've been working on an
ASP.Net application that uses the DLL for user login via a web application.
Generally, you would want this web application running as a specific account
- not the local system or network service accounts. That way you can more
succinctly identify entries like the one you've posted.

HTH...

 

[redhatwatchguard]

Failure Logon Answer.

The reason you are seeing these logon failures is because someone is trying to authenticate on port 25 or VIA 80/443 to your server. If your server is a member of the domain you will also see the attempts on the domain controller. You can recreate these events by TELNETTing to port 25 and performing do the following commands:

1. Type o <your mail server domain> 25,and then press ENTER.
   
2. Type EHLO <your mail server domain>, and then press ENTER.
   
3. Type AUTH LOGIN. The server responds with an encrypted prompt for your user name.
   
4. Enter your user name encrypted in base 64. You can use one of several tools that are available to encode your user name.
   
5. The server responds with an encrypted base 64 prompt for your password. Enter your password encrypted in base 64.
   
6. Type MAIL FROM:<[email protected]>, and then press ENTER. If the sender is not permitted to send mail, the SMTP server returns an error.
   
7. Type RCPT TO:<[email protected]>,and then press ENTER.If the recipient is not a valid recipient or the server does not accept mail for this domain, the SMTP server returns an error.
   
8. Type DATA.
   

==RedhatWatchGuard==