Re: Server 2003 failed logon/logoff audit records

---

• From: "Arek Iskra [MVP]" <NoSpam_arek@xxxxxxxxxxxxx>
• Date: Sat, 3 Dec 2005 11:44:43 +0800

---

<danielhopkins@xxxxxxxxx> wrote in message news:1133558959.542177.58150@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I am running Server 2003 Standard edition as a public webserver.
Recently the server has been experiencing numerous login attempts
resulting in the following audit log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 12/2/2005
Time: 7:54:35 AM
User: NT AUTHORITY\SYSTEM
Computer: LONGS
Description:
Logon Failure:
 Reason: An error occurred during logon
 User Name: IUSR_WINSERVER2003
 Domain: *****
 Logon Type: 3
 Logon Process: ?Q
 Authentication Package: NTLM
 Workstation Name: *****
 Status code: 0xC000006D
 Substatus code: 0x0
 Caller User Name: -
 Caller Domain: -
 Caller Logon ID: -
 Caller Process ID: -
 Transited Services: -
 Source Network Address: **.***.***.***
 Source Port: 0

The question I have is, how is this logon event occurring?  The source
network address has the ip of the server itself, which would seem to
mean that whoever (or whatever) is trying to login is doing so from the
actual machine?

What does the ?Q mean as a logon proccess?

Any answers or links would be much appreciated.

Thanks much,
Dan Hopkins

Is this server running IIS? The logon account is the IUSR_<server name>. Someone (or something - an application or process for example) seems to be failing to authenticate.

--
Arek Iskra
MVP for Windows Server - Software Distribution

.

---

• Follow-Ups:
  • Re: Server 2003 failed logon/logoff audit records
    • From: danielhopkins@xxxxxxxxx

• References:
  • Server 2003 failed logon/logoff audit records
    • From: danielhopkins@xxxxxxxxx

• Prev by Date: Re: Access to Secure "Documents & Settings" in Removed Hard drive
• Next by Date: Re: Standard way to remember passwords
• Previous by thread: Server 2003 failed logon/logoff audit records
• Next by thread: Re: Server 2003 failed logon/logoff audit records
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: SBS Randomly Shuts Down! ... Event Type: Error ... Computer: SERVER ... Event Source: MSExchangeDSAccess ... An error occurred during logon ... (microsoft.public.windows.server.sbs) Re: Interesting IIS problem... ... | Computer: MACHINENAME ... | DCOM got error "Logon failure: user not allowed to log on to this ... | Event Source: W3SVC ... | The server failed to load application '/LM/W3SVC/1/ROOT'. ... (microsoft.public.inetserver.iis.security) Re: SBS Randomly Shuts Down! ... inspection the server has shut itself off! ... Event Type: Error ... Event Source: MSExchangeDSAccess ... An error occurred during logon ... (microsoft.public.windows.server.sbs) users can not access TS PLEASE HELP ... member server Server2 TS Application mode no DC ... Remote Desktop User ... Event Source: Security ... Special privileges assigned to new logon: ... (microsoft.public.windows.terminal_services) security log events ... Event Type: Success Audit ... Event Source: Security ... Special privileges assigned to new logon: ... User Name: SERVER$ ... (microsoft.public.windows.server.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2005-12