Security Event Log Failure Audit 681

Archived from groups: microsoft.public.win2000.security (More info?)

We have been getting 100's of these Failure Audit logs on a daily
basis in our security event log for the past couple weeks. They are
showing up on our win 2000 sp4 application/database server. The user
is a current domain user but not a local user on the server. The
workstation however is not in our domain. What is bothering me is
that is trying to login from a machine that has the same name as a
current user. I have scanned for viruses and spyware on both the
server and the user's workstation, but came up empty on both searches.

The server is part of a 2000 domain and the user logs into a NT
domain. The user doesn't have a mapped drive to the server, but
accesses our main application that resides on the server on a daily
basis.

Below is an example of what we have been seeing.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 6/11/2004
Time: 6:12:17 AM
User: NT AUTHORITY\SYSTEM
Computer: Server-1 <---(Application/DB server)
Description:
The logon to account: NICKH <---(current user)
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: \\NICKH <---(not a current workstation)
failed. The error code was: 3221225572

Thanks in advance for any advise,
2 answers Last reply
More about security event failure audit
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Although I can't offer any advice on this, the same thing
    started happening to me yesterday on our network. We are
    running Windows 2000 Advanced Server SP4 and I noted
    yesterday a little over 2,000 entries in the security log
    in our event viewer on the server within a 20-30 minute
    time period. The Event ID is 681 just as you reported
    with a slightly different error code (I'm also getting
    error code 529 in the event viewer logs as well).
    However, the logon account/user name is the network
    administrator name that I created when I set up the
    server, but the domain and the workstation name are the
    same names which ARE NOT names that I have used on the
    network at any point in time. Today, I received a little
    over 1,000 attempts with a different domain and
    workstation name. The weird thing is that this is
    happening around the same time - in the morning around 9
    AM or so until 11 AM. The attempts are repeated and then
    they stop.

    I have Norton's Anti-virus installed and updated and it
    has found no threats.

    I have not found any reason that this is occurring at this
    point, but it seems similar to what is happening with your
    server.

    If I come across a solution, I'll certainly post it here.
    Does anyone else have any clue to what might be happening?


    >-----Original Message-----
    >We have been getting 100's of these Failure Audit logs on
    a daily
    >basis in our security event log for the past couple
    weeks. They are
    >showing up on our win 2000 sp4 application/database
    server. The user
    >is a current domain user but not a local user on the
    server. The
    >workstation however is not in our domain. What is
    bothering me is
    >that is trying to login from a machine that has the same
    name as a
    >current user. I have scanned for viruses and spyware on
    both the
    >server and the user's workstation, but came up empty on
    both searches.
    >
    >The server is part of a 2000 domain and the user logs
    into a NT
    >domain. The user doesn't have a mapped drive to the
    server, but
    >accesses our main application that resides on the server
    on a daily
    >basis.
    >
    >Below is an example of what we have been seeing.
    >
    >Event Type: Failure Audit
    >Event Source: Security
    >Event Category: Account Logon
    >Event ID: 681
    >Date: 6/11/2004
    >Time: 6:12:17 AM
    >User: NT AUTHORITY\SYSTEM
    >Computer: Server-1 <---(Application/DB server)
    >Description:
    >The logon to account: NICKH <---(current user)
    > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > from workstation: \\NICKH <---(not a current
    workstation)
    > failed. The error code was: 3221225572
    >
    >Thanks in advance for any advise,
    >.
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    That sounds like a hack attempt on the administrator account using computers
    from possibly the internet. I would check your firewall configuration to make
    sure it is correct. The best way is to try and scan your network from the
    outside. Another alternative is to try a self scan site such as
    http://scan.sygatetech.com/ . You should have file and print sharing disabled on
    any network adapted connected directly to the internet. Looking in your firewall
    logs for traffic at the time of the failed logons may help in determining if a
    hack is coming from the internet and what ports are used. Of course you want
    your firewall device and server times right on synch. --- Steve


    "Michele" <vnachs@supernet.com> wrote in message
    news:24db401c45fbc$5dbb8fc0$a401280a@phx.gbl...
    > Although I can't offer any advice on this, the same thing
    > started happening to me yesterday on our network. We are
    > running Windows 2000 Advanced Server SP4 and I noted
    > yesterday a little over 2,000 entries in the security log
    > in our event viewer on the server within a 20-30 minute
    > time period. The Event ID is 681 just as you reported
    > with a slightly different error code (I'm also getting
    > error code 529 in the event viewer logs as well).
    > However, the logon account/user name is the network
    > administrator name that I created when I set up the
    > server, but the domain and the workstation name are the
    > same names which ARE NOT names that I have used on the
    > network at any point in time. Today, I received a little
    > over 1,000 attempts with a different domain and
    > workstation name. The weird thing is that this is
    > happening around the same time - in the morning around 9
    > AM or so until 11 AM. The attempts are repeated and then
    > they stop.
    >
    > I have Norton's Anti-virus installed and updated and it
    > has found no threats.
    >
    > I have not found any reason that this is occurring at this
    > point, but it seems similar to what is happening with your
    > server.
    >
    > If I come across a solution, I'll certainly post it here.
    > Does anyone else have any clue to what might be happening?
    >
    >
    >
    >
    > >-----Original Message-----
    > >We have been getting 100's of these Failure Audit logs on
    > a daily
    > >basis in our security event log for the past couple
    > weeks. They are
    > >showing up on our win 2000 sp4 application/database
    > server. The user
    > >is a current domain user but not a local user on the
    > server. The
    > >workstation however is not in our domain. What is
    > bothering me is
    > >that is trying to login from a machine that has the same
    > name as a
    > >current user. I have scanned for viruses and spyware on
    > both the
    > >server and the user's workstation, but came up empty on
    > both searches.
    > >
    > >The server is part of a 2000 domain and the user logs
    > into a NT
    > >domain. The user doesn't have a mapped drive to the
    > server, but
    > >accesses our main application that resides on the server
    > on a daily
    > >basis.
    > >
    > >Below is an example of what we have been seeing.
    > >
    > >Event Type: Failure Audit
    > >Event Source: Security
    > >Event Category: Account Logon
    > >Event ID: 681
    > >Date: 6/11/2004
    > >Time: 6:12:17 AM
    > >User: NT AUTHORITY\SYSTEM
    > >Computer: Server-1 <---(Application/DB server)
    > >Description:
    > >The logon to account: NICKH <---(current user)
    > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > > from workstation: \\NICKH <---(not a current
    > workstation)
    > > failed. The error code was: 3221225572
    > >
    > >Thanks in advance for any advise,
    > >.
    > >
Ask a new question

Read More

Security Workstations Servers Windows