Re: Unknown User Logon attempt

From: Samhain_Knight (samhain.knight_at_gmail.com)
Date: 07/11/05 

Date: Mon, 11 Jul 2005 08:15:07 -0700

I found the service that was causing the event. I started reststarting
non-essential services one by one until I found the service that was
generating the security event. I turned out to be a service from Adaptec. The
server has an Adaptec RAID card. I installed Adpatecs RAID management utility
on the server also. It is a browser base utility to manage your RAID. It
installs 3 services, one named "Adaptec Storage Manager Notifier" was set to
logon on as local service and would generate the event everytime I restarted
it. Why it was trying to use an account called "Secret" i have no idea, but
it sure was a suspicous name. Well I don't believe it's anything malicious,
so I have disabled the service, I wasn't using that function anyways. Very
strange.

Thanks a lot Steve for your help you definetly pointed me in the right
direction on this! Great advice!
Keep on Keepin On.
"Steven L Umbach" wrote:

> There is a free tool from SysInternals called Autoruns that may help you as
> it certainly looks like it is a local startup process. It shows the various
> start up programs that are on your computer and also gives you that ability
> to disable them individually which you may need to do in a trial and error
> method to try and track down what is causing your problem. It also could be
> a non essential service that is not used to boot into safe mode . Use
> services.msc to check your services and look in the "logon as column" to see
> if you can see anything there that may help. You can also selectively
> disable services with msconfig. If you are using Windows 2000 you will not
> have msconfig but you can download it from the internet. --- Steve
>
> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
> http://www.perfectdrivers.com/howto/msconfig.html --- Msconfig
>
> "Samhain_Knight" <samhain.knight@gmail.com> wrote in message
> news:F64A7BF1-543A-4F21-932D-94BD7FD84E0E@microsoft.com...
> >I cleared the event log, shutdown, unplugged the network cable, power on,
> >and
> > logged in using domain credentials. The same event is shown for user
> > "Secret". I then rebooted and logged into safe mode, keeping the network
> > cable unplugged and i didn't receive the event? Since the cable is
> > unplugged,
> > this must be a local process generated on the server? There are now mapped
> > drives on this server either? Anymore input would be appreciated!
> >
> > Thanks!!!
> >
> > "Steven L Umbach" wrote:
> >
> >> Try booting into safe mode to see the those events are recorded or not.
> >> More
> >> than likely something is using that user account. You could also try
> >> rebooting with the computer disconnected from the network to see if those
> >> events are recorded and if they are you know for sure it is internally
> >> generated. I would also be sure to run a full system scan for malware.
> >> There
> >> is a tool that is used to troubleshoot account lockouts that may help as
> >> it
> >> creates a log that shows when a user is trying to authenticated and the
> >> associated process with times recorded to match to the security log. Also
> >> check to see if any mapped drives have persistent credentials associated
> >> with them. The link below is to the alockout.dll tool [be sure to read
> >> warning] and other documentation and tools that normally are used to
> >> track
> >> domain account lockouts but still have helpful information. I would also
> >> temporarily enable auditing of object access, privilige use, and process
> >> tracking for failure on that server to see if that helps pinpoint what is
> >> going on. --- Steve
> >>
> >>
> >>
> >>
> >> "Samhain_Knight" <Samhain_Knight@discussions.microsoft.com> wrote in
> >> message
> >> news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
> >> > I'm trying to track down a user logon attempt on one of my servers.
> >> > W2k AD enviroment
> >> > Whenever I reboot one of my member server i get an event 681/529. What
> >> > scares me is that the username attempting to logon is called "secret".
> >> > I
> >> > know
> >> > for sure it's not a domain user account nor a local user account on the
> >> > server. I'm trying to find more info on this user. I only receive this
> >> > event
> >> > when I reboot the server as if it's a service starting up. I don't see
> >> > any
> >> > unknown services running on the server though? Any suggestions how to
> >> > best
> >> > troubleshoot this? Here's a copy of the event:
> >> >
> >> > Event Type: Failure Audit
> >> > Event Source: Security
> >> > Event Category: Logon/Logoff
> >> > Event ID: 529
> >> > Date: 6/11/2005
> >> > Time: 9:10:31 AM
> >> > User: NT AUTHORITY\SYSTEM
> >> > Computer: EVANS10
> >> > Description:
> >> > Logon Failure:
> >> > Reason: Unknown user name or bad password
> >> > User Name: Secret
> >> > Domain:
> >> > Logon Type: 2
> >> > Logon Process: Advapi
> >> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> > Workstation Name: "member server"
> >> >
> >> > Event Type: Failure Audit
> >> > Event Source: Security
> >> > Event Category: Account Logon
> >> > Event ID: 681
> >> > Date: 6/11/2005
> >> > Time: 9:10:31 AM
> >> > User: NT AUTHORITY\SYSTEM
> >> > Computer: member server
> >> > Description:
> >> > The logon to account: Secret
> >> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> > from workstation: member server
> >> > failed. The error code was: 3221225572
> >> >
> >> > Thanks
> >> >
> >>
> >>
> >>
>
>
>