Event 529 and 681

Rick · Mar 12, 2005

Archived from groups: microsoft.public.win2000.security (More info?)

I have been getting a large amount of events 529 and 681 every three days or
so.
I get about 280 of these event in about a 5 minute span. Then nothing or 3
days or so and then again.

The server is ISA with N2H2 on it. The ISA is in Cache mode only it is only
used for web filtering and is behind the firewall. It also have Exchange
2000 SP3 on this server. It had been going fine for about a year and then
this started. The system functions fine I was just wondering about this.

Any ideas would be most appreciated!!!

Thanks in advance,

Rick

Here are the events in case you need that.

Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (2): Logon/Logoff Event ID: 529
User: S-1-5-18
Description:
Logon Failure:

Reason: Unknown user name or bad password

User Name: 33333333

Domain: Logon Type: 3

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name

server name removed)

Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (9): Account Logon Event ID: 681
User: S-1-5-18
Description:
The logon to account: 33333333

by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

from workstation: (server name removed)

failed. The error code was: 3221225572

Guest · Mar 13, 2005

Guest · Mar 13, 2005

Archived from groups: microsoft.public.win2000.security (More info?)

Where are these shown as coming from ?
Are these for "dumb" account names that often do not exist?
or are they using the list of actual accounts ?
--
Roger
"Rick" <rick@di-wave.com> wrote in message
news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
> I have been getting a large amount of events 529 and 681 every three days
or
> so.
> I get about 280 of these event in about a 5 minute span. Then nothing or 3
> days or so and then again.
>
> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
only
> used for web filtering and is behind the firewall. It also have Exchange
> 2000 SP3 on this server. It had been going fine for about a year and then
> this started. The system functions fine I was just wondering about this.
>
> Any ideas would be most appreciated!!!
>
> Thanks in advance,
>
> Rick
>
> Here are the events in case you need that.
>
> Alert in Event log: Security
> Type: Audit Failure Date: 3/9/2005
> Time: 04:45 PM Source: Security
> Category: (2): Logon/Logoff Event ID: 529
> User: S-1-5-18
> Description:
> Logon Failure:
>
> Reason: Unknown user name or bad password
>
> User Name: 33333333
>
> Domain: Logon Type: 3
>
> Logon Process: Advapi
>
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> Workstation Name

server name removed)
>
>
> Alert in Event log: Security
> Type: Audit Failure Date: 3/9/2005
> Time: 04:45 PM Source: Security
> Category: (9): Account Logon Event ID: 681
> User: S-1-5-18
> Description:
> The logon to account: 33333333
>
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> from workstation: (server name removed)
>
> failed. The error code was: 3221225572
>
>
>

Rick · Mar 13, 2005

Archived from groups: microsoft.public.win2000.security (More info?)

The accounts never exists in these groupings. I get about 280 with in 5
minutes.

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
> Where are these shown as coming from ?
> Are these for "dumb" account names that often do not exist?
> or are they using the list of actual accounts ?
> --
> Roger
> "Rick" <rick@di-wave.com> wrote in message
> news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
>> I have been getting a large amount of events 529 and 681 every three days
> or
>> so.
>> I get about 280 of these event in about a 5 minute span. Then nothing or
>> 3
>> days or so and then again.
>>
>> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
> only
>> used for web filtering and is behind the firewall. It also have Exchange
>> 2000 SP3 on this server. It had been going fine for about a year and then
>> this started. The system functions fine I was just wondering about this.
>>
>> Any ideas would be most appreciated!!!
>>
>> Thanks in advance,
>>
>> Rick
>>
>> Here are the events in case you need that.
>>
>> Alert in Event log: Security
>> Type: Audit Failure Date: 3/9/2005
>> Time: 04:45 PM Source: Security
>> Category: (2): Logon/Logoff Event ID: 529
>> User: S-1-5-18
>> Description:
>> Logon Failure:
>>
>> Reason: Unknown user name or bad password
>>
>> User Name: 33333333
>>
>> Domain: Logon Type: 3
>>
>> Logon Process: Advapi
>>
>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>
>> Workstation Name

server name removed)
>>
>>
>> Alert in Event log: Security
>> Type: Audit Failure Date: 3/9/2005
>> Time: 04:45 PM Source: Security
>> Category: (9): Account Logon Event ID: 681
>> User: S-1-5-18
>> Description:
>> The logon to account: 33333333
>>
>> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>
>> from workstation: (server name removed)
>>
>> failed. The error code was: 3221225572
>>
>>
>>
>
>

Guest · Mar 13, 2005

Archived from groups: microsoft.public.win2000.security (More info?)

The events name the machine from which the login attempts
originate. There are tools out there that will hammer on a
system for as long as they are programmed to do, trying to
find username / password combinations that work.
All you have to do is have some exposed authentication
door, like a restricted access website, file shares, etc..
If the machine named is an internal machine, then go to it
and look for infection/malware.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Rick" <rick@di-wave.com> wrote in message
news:%23jmlhWCKFHA.4028@tk2msftngp13.phx.gbl...
> The accounts never exists in these groupings. I get about 280 with in 5
> minutes.
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
> > Where are these shown as coming from ?
> > Are these for "dumb" account names that often do not exist?
> > or are they using the list of actual accounts ?
> > --
> > Roger
> > "Rick" <rick@di-wave.com> wrote in message
> > news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
> >> I have been getting a large amount of events 529 and 681 every three
days
> > or
> >> so.
> >> I get about 280 of these event in about a 5 minute span. Then nothing
or
> >> 3
> >> days or so and then again.
> >>
> >> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
> > only
> >> used for web filtering and is behind the firewall. It also have
Exchange
> >> 2000 SP3 on this server. It had been going fine for about a year and
then
> >> this started. The system functions fine I was just wondering about
this.
> >>
> >> Any ideas would be most appreciated!!!
> >>
> >> Thanks in advance,
> >>
> >> Rick
> >>
> >> Here are the events in case you need that.
> >>
> >> Alert in Event log: Security
> >> Type: Audit Failure Date: 3/9/2005
> >> Time: 04:45 PM Source: Security
> >> Category: (2): Logon/Logoff Event ID: 529
> >> User: S-1-5-18
> >> Description:
> >> Logon Failure:
> >>
> >> Reason: Unknown user name or bad password
> >>
> >> User Name: 33333333
> >>
> >> Domain: Logon Type: 3
> >>
> >> Logon Process: Advapi
> >>
> >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >>
> >> Workstation Name

server name removed)
> >>
> >>
> >> Alert in Event log: Security
> >> Type: Audit Failure Date: 3/9/2005
> >> Time: 04:45 PM Source: Security
> >> Category: (9): Account Logon Event ID: 681
> >> User: S-1-5-18
> >> Description:
> >> The logon to account: 33333333
> >>
> >> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >>
> >> from workstation: (server name removed)
> >>
> >> failed. The error code was: 3221225572
> >>
> >>
> >>
> >
> >
>
>

Rick · Mar 14, 2005

Archived from groups: microsoft.public.win2000.security (More info?)

That may be helpful I will look into that.

Thanks!!

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uxx$C4CKFHA.3992@TK2MSFTNGP15.phx.gbl...
> The events name the machine from which the login attempts
> originate. There are tools out there that will hammer on a
> system for as long as they are programmed to do, trying to
> find username / password combinations that work.
> All you have to do is have some exposed authentication
> door, like a restricted access website, file shares, etc..
> If the machine named is an internal machine, then go to it
> and look for infection/malware.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Rick" <rick@di-wave.com> wrote in message
> news:%23jmlhWCKFHA.4028@tk2msftngp13.phx.gbl...
>> The accounts never exists in these groupings. I get about 280 with in 5
>> minutes.
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
>> > Where are these shown as coming from ?
>> > Are these for "dumb" account names that often do not exist?
>> > or are they using the list of actual accounts ?
>> > --
>> > Roger
>> > "Rick" <rick@di-wave.com> wrote in message
>> > news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
>> >> I have been getting a large amount of events 529 and 681 every three
> days
>> > or
>> >> so.
>> >> I get about 280 of these event in about a 5 minute span. Then nothing
> or
>> >> 3
>> >> days or so and then again.
>> >>
>> >> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
>> > only
>> >> used for web filtering and is behind the firewall. It also have
> Exchange
>> >> 2000 SP3 on this server. It had been going fine for about a year and
> then
>> >> this started. The system functions fine I was just wondering about
> this.
>> >>
>> >> Any ideas would be most appreciated!!!
>> >>
>> >> Thanks in advance,
>> >>
>> >> Rick
>> >>
>> >> Here are the events in case you need that.
>> >>
>> >> Alert in Event log: Security
>> >> Type: Audit Failure Date: 3/9/2005
>> >> Time: 04:45 PM Source: Security
>> >> Category: (2): Logon/Logoff Event ID: 529
>> >> User: S-1-5-18
>> >> Description:
>> >> Logon Failure:
>> >>
>> >> Reason: Unknown user name or bad password
>> >>
>> >> User Name: 33333333
>> >>
>> >> Domain: Logon Type: 3
>> >>
>> >> Logon Process: Advapi
>> >>
>> >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >>
>> >> Workstation Name

server name removed)
>> >>
>> >>
>> >> Alert in Event log: Security
>> >> Type: Audit Failure Date: 3/9/2005
>> >> Time: 04:45 PM Source: Security
>> >> Category: (9): Account Logon Event ID: 681
>> >> User: S-1-5-18
>> >> Description:
>> >> The logon to account: 33333333
>> >>
>> >> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >>
>> >> from workstation: (server name removed)
>> >>
>> >> failed. The error code was: 3221225572
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Search

Event 529 and 681

Rick

Distinguished

Guest

Guest

Guest

Guest

Rick

Distinguished

Guest

Guest

Rick

Distinguished

TRENDING THREADS

Latest posts

Moderators online

Share this page