Very strange username ...

T

Thomas

Hello all,

I get this eventid on our proxy-server:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 09/02/2004
Time: 15:34:20
User: NT AUTHORITY\SYSTEM
Computer: *****
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: dsgsgsdgirghrhefhgdu
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: *****

Any idea if this is a hacker? I don't think so because of the 'Advapi', but
which program is trying to log on with this strange username???: User Name:
dsgsgsdgirghrhefhgdu
 
B

Bobby McMillan [MSFT]

Thomas,

It is difficult to say if this is a "hacker" do you have control over the
computer that is listed in the event? If so take a look there. This
event just states that dsgsgsdgirghrhefhgdu attempted to logon over the
network. How often does this happen?


This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Thomas" <[email protected]>
| Subject: Very strange username ...
| Date: Mon, 9 Feb 2004 11:07:52 +0100
|
| Hello all,
| I get this eventid on our proxy-server:
| Event Type: Failure Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 529
| Date: 09/02/2004
| Time: 15:34:20
| User: NT AUTHORITY\SYSTEM
| Computer: *****
| Description:
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name: dsgsgsdgirghrhefhgdu
| Domain:
| Logon Type: 3
| Logon Process: Advapi
| Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| Workstation Name: *****
| Any idea if this is a hacker? I don't think so because of the 'Advapi',
but
| which program is trying to log on with this strange username???: User
Name:
| dsgsgsdgirghrhefhgdu
|
 
T

Thomas

Thx fot you reply,

Yes I have control over the server.
I get this events at these times:

09-02-04: 9h48

08-02-04: 15h23

05-02-04: 17h16

05-02-04: 9h16

04-02-04: 12h35

02-02-04: 20h51

So there is really nog logica in all these times ....

There are 2 programs running on the server: Vpop3 and Proxy+, but I don't
think it are those programs that are causing these strange events.

Any idea?
 
B

Bobby McMillan [MSFT]

Thomas,

I would start by making sure you are protected against intrusions from the
internet. Is this s secure network? On your firewall, what ports need to
be closed. If this is a protected network, and you are sure that this is
not coming from an external source, you may wish to investigate the use of
netlogon.log.

109626 Enabling Debug Logging for the Net Logon Service
http://support.microsoft.com/?id=109626



This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event id 529, and very strange username ! 1
event id 529 logon type 3 - lots of them 1
am I being hacked or is something else going on? 4
Event ID 529 (did this come from the LAN) 1
change administrator password 1
Event 529 and 681 5
Password checking is running-please help 3
Unexplained 540 Events in Security log on W2K workstation in a dom 0

Top