W
William Flavin
Over the past couple of weeks I've noticed the Security Event Log on
one of my Windows 2000 Domain Controllers filling up with these
events:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/19/2003
Time: 2:48:52 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX-XXX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: (an account in the domain admin group)
Domain: CHRISTO
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CHRISTO
There are dozens of these events as it seems to attempt a logon with
every username in the domain admins group, locking out each account.
As I said this happens once or twice a day. This server does not run
any web services and is not NATed to any public address in our
router/firewall. I just can't figure out where these logon attempts
are coming from. The Domain and Workstations listed in the events are
not from our network. These attempts must be coming from the internet,
but I can't figure out how. We do have some systems NATed to public
addresses, Win2K web servers and DNS servers running Linux. The server
in question has Service Pack 4 and is fully up-to-date with Windows
Updates. I've been searching for help with this, but haven't found any
meaningful information. I hope someone might have some insight. Thanks
in advance.
one of my Windows 2000 Domain Controllers filling up with these
events:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/19/2003
Time: 2:48:52 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX-XXX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: (an account in the domain admin group)
Domain: CHRISTO
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CHRISTO
There are dozens of these events as it seems to attempt a logon with
every username in the domain admins group, locking out each account.
As I said this happens once or twice a day. This server does not run
any web services and is not NATed to any public address in our
router/firewall. I just can't figure out where these logon attempts
are coming from. The Domain and Workstations listed in the events are
not from our network. These attempts must be coming from the internet,
but I can't figure out how. We do have some systems NATed to public
addresses, Win2K web servers and DNS servers running Linux. The server
in question has Service Pack 4 and is fully up-to-date with Windows
Updates. I've been searching for help with this, but haven't found any
meaningful information. I hope someone might have some insight. Thanks
in advance.