Guest mrecomm101 Posted October 18, 2008 Posted October 18, 2008 I'm getting an Event ID of 529 The USER is listed as NT AUTHORITY/SYSTEM Logon Failure: Reason: Unknown user name or bad password User Name: anna Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: JM-APPSERVER Caller User Name: JM-APPSERVER$ Caller Domain: JACKSMAGIC Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5128 Transited Services: - Source Network Address: - Source Port: - I'm trying to see where this logon is coming from. I have nothing on the firewall logs to indicate a remote access and the building was locked and alarmed. Any thoughts or suggestions? Quote
Guest S. Pidgorny Posted October 18, 2008 Posted October 18, 2008 It's a failed logon, which is generally less of a concern. Which process on the server has PID 5128? -- Svyatoslav Pidgorny, MCSE, RHCE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp mrecomm101 wrote:<span style="color:blue"> > I'm getting an Event ID of 529 > The USER is listed as NT AUTHORITY/SYSTEM > > Logon Failure: > Reason: Unknown user name or bad password > User Name: anna > Domain: > Logon Type: 3 > Logon Process: Advapi > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Workstation Name: JM-APPSERVER > Caller User Name: JM-APPSERVER$ > Caller Domain: JACKSMAGIC > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 5128 > Transited Services: - > Source Network Address: - > Source Port: - > > I'm trying to see where this logon is coming from. I have nothing on the > firewall logs to indicate a remote access and the building was locked and > alarmed. > > Any thoughts or suggestions?</span> Quote
Guest John McGaw Posted October 18, 2008 Posted October 18, 2008 mrecomm101 wrote:<span style="color:blue"> > I'm getting an Event ID of 529 > The USER is listed as NT AUTHORITY/SYSTEM > > Logon Failure: > Reason: Unknown user name or bad password > User Name: anna > Domain: > Logon Type: 3 > Logon Process: Advapi > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Workstation Name: JM-APPSERVER > Caller User Name: JM-APPSERVER$ > Caller Domain: JACKSMAGIC > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 5128 > Transited Services: - > Source Network Address: - > Source Port: - > > I'm trying to see where this logon is coming from. I have nothing on the > firewall logs to indicate a remote access and the building was locked and > alarmed. > > Any thoughts or suggestions?</span> I'm certainly _not_ a security expert but your report seems to be missing some useful information -- such as day and time. Is there a possibility that cleaners or service personnel would be in the building with physical access to a computer despite "locked and alarmed"? I know of one case, a long time ago and on a straight-up UNIX system where a night cleaner brought her child with her on some nights and... Well, you know how kids are. John McGaw http://johnmcgaw.com Quote
Guest Vitaly Posted November 5, 2008 Posted November 5, 2008 I have the same problem on SBS 2003. There are about 10000 events like Event ID 529 Last Occurrence 11/4/2008 5:46 AM Total Occurrences 13,687 Logon Failure: Reason: Unknown user name or bad password User Name: mike Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: DC0 Caller User Name: DC0$ Caller Domain: RU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2052 Transited Services: - Source Network Address: - Source Port: - Process ID: 2052 - inetinfo.exe -- Vitaly ------------------------------------------------------------------------ Vitaly's Profile: http://forums.techarena.in/members/vitaly.htm View this thread: http://forums.techarena.in/microsoft-security/1057023.htm http://forums.techarena.in Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.