Re: Unknown User Logon attempt

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/11/05 

Date: Mon, 11 Jul 2005 10:57:09 -0500

Excellent. Mystery solved. Curious that the account name was secret as you
said. Anyhow good job and thanks for reporting back what worked! --- Steve

"Samhain_Knight" <samhain.knight@gmail.com> wrote in message
news:5869C896-F63C-4EFF-B601-EE67C466725E@microsoft.com...
>I found the service that was causing the event. I started reststarting
> non-essential services one by one until I found the service that was
> generating the security event. I turned out to be a service from Adaptec.
> The
> server has an Adaptec RAID card. I installed Adpatecs RAID management
> utility
> on the server also. It is a browser base utility to manage your RAID. It
> installs 3 services, one named "Adaptec Storage Manager Notifier" was set
> to
> logon on as local service and would generate the event everytime I
> restarted
> it. Why it was trying to use an account called "Secret" i have no idea,
> but
> it sure was a suspicous name. Well I don't believe it's anything
> malicious,
> so I have disabled the service, I wasn't using that function anyways. Very
> strange.
>
> Thanks a lot Steve for your help you definetly pointed me in the right
> direction on this! Great advice!
> Keep on Keepin On.
> "Steven L Umbach" wrote:
>
>> There is a free tool from SysInternals called Autoruns that may help you
>> as
>> it certainly looks like it is a local startup process. It shows the
>> various
>> start up programs that are on your computer and also gives you that
>> ability
>> to disable them individually which you may need to do in a trial and
>> error
>> method to try and track down what is causing your problem. It also could
>> be
>> a non essential service that is not used to boot into safe mode . Use
>> services.msc to check your services and look in the "logon as column" to
>> see
>> if you can see anything there that may help. You can also selectively
>> disable services with msconfig. If you are using Windows 2000 you will
>> not
>> have msconfig but you can download it from the internet. --- Steve
>>
>> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
>> http://www.perfectdrivers.com/howto/msconfig.html --- Msconfig
>>
>> "Samhain_Knight" <samhain.knight@gmail.com> wrote in message
>> news:F64A7BF1-543A-4F21-932D-94BD7FD84E0E@microsoft.com...
>> >I cleared the event log, shutdown, unplugged the network cable, power
>> >on,
>> >and
>> > logged in using domain credentials. The same event is shown for user
>> > "Secret". I then rebooted and logged into safe mode, keeping the
>> > network
>> > cable unplugged and i didn't receive the event? Since the cable is
>> > unplugged,
>> > this must be a local process generated on the server? There are now
>> > mapped
>> > drives on this server either? Anymore input would be appreciated!
>> >
>> > Thanks!!!
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Try booting into safe mode to see the those events are recorded or
>> >> not.
>> >> More
>> >> than likely something is using that user account. You could also try
>> >> rebooting with the computer disconnected from the network to see if
>> >> those
>> >> events are recorded and if they are you know for sure it is internally
>> >> generated. I would also be sure to run a full system scan for malware.
>> >> There
>> >> is a tool that is used to troubleshoot account lockouts that may help
>> >> as
>> >> it
>> >> creates a log that shows when a user is trying to authenticated and
>> >> the
>> >> associated process with times recorded to match to the security log.
>> >> Also
>> >> check to see if any mapped drives have persistent credentials
>> >> associated
>> >> with them. The link below is to the alockout.dll tool [be sure to read
>> >> warning] and other documentation and tools that normally are used to
>> >> track
>> >> domain account lockouts but still have helpful information. I would
>> >> also
>> >> temporarily enable auditing of object access, privilige use, and
>> >> process
>> >> tracking for failure on that server to see if that helps pinpoint what
>> >> is
>> >> going on. --- Steve
>> >>
>> >>
>> >>
>> >>
>> >> "Samhain_Knight" <Samhain_Knight@discussions.microsoft.com> wrote in
>> >> message
>> >> news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
>> >> > I'm trying to track down a user logon attempt on one of my servers.
>> >> > W2k AD enviroment
>> >> > Whenever I reboot one of my member server i get an event 681/529.
>> >> > What
>> >> > scares me is that the username attempting to logon is called
>> >> > "secret".
>> >> > I
>> >> > know
>> >> > for sure it's not a domain user account nor a local user account on
>> >> > the
>> >> > server. I'm trying to find more info on this user. I only receive
>> >> > this
>> >> > event
>> >> > when I reboot the server as if it's a service starting up. I don't
>> >> > see
>> >> > any
>> >> > unknown services running on the server though? Any suggestions how
>> >> > to
>> >> > best
>> >> > troubleshoot this? Here's a copy of the event:
>> >> >
>> >> > Event Type: Failure Audit
>> >> > Event Source: Security
>> >> > Event Category: Logon/Logoff
>> >> > Event ID: 529
>> >> > Date: 6/11/2005
>> >> > Time: 9:10:31 AM
>> >> > User: NT AUTHORITY\SYSTEM
>> >> > Computer: EVANS10
>> >> > Description:
>> >> > Logon Failure:
>> >> > Reason: Unknown user name or bad password
>> >> > User Name: Secret
>> >> > Domain:
>> >> > Logon Type: 2
>> >> > Logon Process: Advapi
>> >> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >> > Workstation Name: "member server"
>> >> >
>> >> > Event Type: Failure Audit
>> >> > Event Source: Security
>> >> > Event Category: Account Logon
>> >> > Event ID: 681
>> >> > Date: 6/11/2005
>> >> > Time: 9:10:31 AM
>> >> > User: NT AUTHORITY\SYSTEM
>> >> > Computer: member server
>> >> > Description:
>> >> > The logon to account: Secret
>> >> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >> > from workstation: member server
>> >> > failed. The error code was: 3221225572
>> >> >
>> >> > Thanks
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

Loading