Questionable Failed Logon Events

From: R. Troy MacVay (MacVay_at_discussions.microsoft.com)
Date: 12/31/04


Date: Fri, 31 Dec 2004 08:07:01 -0800

We have a SBS 2003 Server and I am seeing some strange logon failures in the
Security log. What bothers me is that they appear to be coming from inside
the network. This is a small network and these events are happening over
Christmas as well when I know there is no one in the office.

If anyone can shed some light on this I would greatly appreciate it. Here
are the details:

The attempts are just guessing at account names such as Test, Webmaster,
Admin We normaly see these type of events for people trying to log in to OWA
but when I do a test to replicate, I get a different set of log events.

Here are the events:

Event 680

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account: webmaster
 Source Workstation: (MyServer)
 Error Code: 0xC0000064

Event 529

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/28/2004
Time: 11:33:43 AM
User: NT AUTHORITY\SYSTEM
Computer: (MyServer)
Description:
Logon Failure:
         Reason: Unknown user name or bad password
         User Name: webmaster
         Domain:
         Logon Type: 3
         Logon Process: Advapi
         Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
         Workstation Name: (MyServer)
         Caller User Name: (MyServer)$
         Caller Domain: pbfrasernet
         Caller Logon ID: (0x0,0x3E7)
         Caller Process ID: 7636
         Transited Services: -
         Source Network Address: -
         Source Port: -

Where are these attempts comign from? From the logon type it appears that
they are coming from inside the network.

Can someone help?

Thanks in Advance