J
Jack Sienkiewicz
Recently I have noticed an abnormal increase in the number
of event 529 in the security log. The usernames that are
being tried are names from our domain, however the domain
and workstation names the requests are orginating from are
not from our actual domain. The names change as well. One
day it is w2ksrv and the next it's morpheus for example.
(where there are **** I took out the acutal information
which is correct) I was wondering if anyone has an idea as
to why these are more frequent and if there is any way to
trace and find out where they are coming from (like an IP
or any other information) Below is the information from
the event. Thanks.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/22/2003
Time: 9:28:04 AM
User: NT AUTHORITY\SYSTEM
Computer: ******
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: *******
Domain: ZOLID-KC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ZOLID-KC
of event 529 in the security log. The usernames that are
being tried are names from our domain, however the domain
and workstation names the requests are orginating from are
not from our actual domain. The names change as well. One
day it is w2ksrv and the next it's morpheus for example.
(where there are **** I took out the acutal information
which is correct) I was wondering if anyone has an idea as
to why these are more frequent and if there is any way to
trace and find out where they are coming from (like an IP
or any other information) Below is the information from
the event. Thanks.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/22/2003
Time: 9:28:04 AM
User: NT AUTHORITY\SYSTEM
Computer: ******
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: *******
Domain: ZOLID-KC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ZOLID-KC