Re: am I being hacked or is something else going on?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/22/04
- Next message: Steven L Umbach: "Re: Problem to Delete File on Windows 2000 Server"
- Previous message: Stuart Graham: "Re: Hot to change locked computer message"
- In reply to: Gary Massengale: "Re: am I being hacked or is something else going on?"
- Next in thread: Gary Massengale: "Re: am I being hacked or is something else going on?"
- Reply: Gary Massengale: "Re: am I being hacked or is something else going on?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 May 2004 01:46:27 GMT
In event ID 529 the last line is the workstation that the bad logon attempt came from
but in your case it seems to be the computer that the event was logged on. I have
searched a bit and am not real sure about the " Logon Process: Advapi " as I
usually see ntlm or negotiate. Most of my search results mentioned OWA or Exchange
when Advapi was mentioned. --- Steve
"Gary Massengale" <garym_jnospam@hotmail.com> wrote in message
news:OP8VYkzPEHA.1340@TK2MSFTNGP12.phx.gbl...
> yes, it is on the local network. I have tested our firewall and cannot
> find any unnecessary ports open, and we have a coporate antivirus solution
> and the scans dont show infection on any of our PCs, and I will also try
> your suggestions also,thanks.
>
> One other thing, if it is somebody on our local network trying this, how can
> I track down which workstation this person is using?
>
> gary
>
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:LLbrc.87773$iF6.7516024@attbi_s02...
> > Are you on a local network with other computers? Type 3 logon means
> someone is trying
> > to gain access from the network. Do you have any holes open in your
> firewall to offer
> > services to internet users such as a web server? I would suggest running
> Microsoft
> > Baseline Security Analyzer on your computer to check for vulnerabilities
> including
> > unneeded services and scan your firewall from a self scan site such as
> > http://scan.sygatetech.com/ to make sure it is not misconfigured and
> disable file and
> > print sharing if you are not offering shares to other computers on a
> network. Be
> > sure to do a full virus scan with latest definitions if you have not done
> that
> > yet. --- Steve
> >
> > http://www.microsoft.com/technet/security/tools/mbsahome.mspx
> > http://www.microsoft.com/security/protect/
> >
> > "Gary Massengale" <garym_jnospam@hotmail.com> wrote in message
> > news:OveepMpPEHA.556@tk2msftngp13.phx.gbl...
> > > event viewer is showing unsuccesful login attemps, sometimes user name
> is "
> > > server ", sometimes " abc ", sometimes " data ". I have current
> antivirus,
> > > and a firewall running, so I am curious as to what is causing these
> attempts
> > > at 2 AM in the morning.
> > >
> > > Below is what I keep seeing:
> > >
> > >
> > > Event Type: Failure Audit
> > >
> > > Event Source: Security
> > >
> > > Event Category: Logon/Logoff
> > >
> > > Event ID: 529
> > >
> > > Date: 5/20/2004
> > >
> > > Time: 2:04:10 AM
> > >
> > > User: NT AUTHORITY\SYSTEM
> > >
> > > Computer: MYSERVERNAME
> > >
> > > Description:
> > >
> > > Logon Failure:
> > >
> > > Reason: Unknown user name or bad
> password
> > >
> > > User Name: server
> > >
> > > Domain:
> > >
> > > Logon Type: 3
> > >
> > > Logon Process: Advapi
> > >
> > > Authentication Package:
> > > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > >
> > > Workstation Name: MYSERVERNAME
> > >
> > >
> >
> >
>
>
- Next message: Steven L Umbach: "Re: Problem to Delete File on Windows 2000 Server"
- Previous message: Stuart Graham: "Re: Hot to change locked computer message"
- In reply to: Gary Massengale: "Re: am I being hacked or is something else going on?"
- Next in thread: Gary Massengale: "Re: am I being hacked or is something else going on?"
- Reply: Gary Massengale: "Re: am I being hacked or is something else going on?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
