Sign in with
Sign up | Sign in
Your question

Event 529 and 681

Tags:
Last response: in Windows 2000/NT
Share
March 12, 2005 11:57:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have been getting a large amount of events 529 and 681 every three days or
so.
I get about 280 of these event in about a 5 minute span. Then nothing or 3
days or so and then again.

The server is ISA with N2H2 on it. The ISA is in Cache mode only it is only
used for web filtering and is behind the firewall. It also have Exchange
2000 SP3 on this server. It had been going fine for about a year and then
this started. The system functions fine I was just wondering about this.

Any ideas would be most appreciated!!!

Thanks in advance,

Rick

Here are the events in case you need that.

Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (2): Logon/Logoff Event ID: 529
User: S-1-5-18
Description:
Logon Failure:

Reason: Unknown user name or bad password

User Name: 33333333

Domain: Logon Type: 3

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name:( server name removed)


Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (9): Account Logon Event ID: 681
User: S-1-5-18
Description:
The logon to account: 33333333

by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

from workstation: (server name removed)

failed. The error code was: 3221225572

More about : event 529 681

Anonymous
March 13, 2005 11:36:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

----------------
Event ID 529
----------------

http://www.eventid.net/display.asp?eventid=529&eventno=...

http://support.microsoft.com/default.aspx?scid=kb;en-us;159792
http://support.microsoft.com/default.aspx?scid=kb;en-us;159969
http://support.microsoft.com/default.aspx?scid=kb;en-us;171148
http://support.microsoft.com/default.aspx?scid=kb;en-us;172402
http://support.microsoft.com/default.aspx?scid=kb;en-us;174073
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
http://support.microsoft.com/default.aspx?scid=kb;en-us;238372
http://support.microsoft.com/default.aspx?scid=kb;en-us;239869
http://support.microsoft.com/default.aspx?scid=kb;en-us;272594
http://support.microsoft.com/default.aspx?scid=kb;en-us;287639
http://support.microsoft.com/default.aspx?scid=kb;en-us;290706
http://support.microsoft.com/default.aspx?scid=kb;en-us;299352
http://support.microsoft.com/default.aspx?scid=kb;en-us;305822
http://support.microsoft.com/default.aspx?scid=kb;en-us;312827
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
http://support.microsoft.com/default.aspx?scid=kb;en-us;328720
http://support.microsoft.com/default.aspx?scid=kb;en-us;811082
http://support.microsoft.com/default.aspx?scid=kb;en-us;824209
http://support.microsoft.com/default.aspx?scid=kb;en-us;890477

----------------
Event ID 681
----------------

http://www.eventid.net/display.asp?eventid=681&eventno=...

http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
http://support.microsoft.com/default.aspx?scid=kb;en-us;272594
http://support.microsoft.com/default.aspx?scid=kb;en-us;273499
http://support.microsoft.com/default.aspx?scid=kb;en-us;287626
http://support.microsoft.com/default.aspx?scid=kb;en-us;297989
http://support.microsoft.com/default.aspx?scid=kb;en-us;321448
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
http://support.microsoft.com/default.aspx?scid=kb;en-us;824209
http://support.microsoft.com/default.aspx?scid=kb;en-us;837142


Austin M. Horst
Anonymous
March 13, 2005 12:16:16 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Where are these shown as coming from ?
Are these for "dumb" account names that often do not exist?
or are they using the list of actual accounts ?
--
Roger
"Rick" <rick@di-wave.com> wrote in message
news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
> I have been getting a large amount of events 529 and 681 every three days
or
> so.
> I get about 280 of these event in about a 5 minute span. Then nothing or 3
> days or so and then again.
>
> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
only
> used for web filtering and is behind the firewall. It also have Exchange
> 2000 SP3 on this server. It had been going fine for about a year and then
> this started. The system functions fine I was just wondering about this.
>
> Any ideas would be most appreciated!!!
>
> Thanks in advance,
>
> Rick
>
> Here are the events in case you need that.
>
> Alert in Event log: Security
> Type: Audit Failure Date: 3/9/2005
> Time: 04:45 PM Source: Security
> Category: (2): Logon/Logoff Event ID: 529
> User: S-1-5-18
> Description:
> Logon Failure:
>
> Reason: Unknown user name or bad password
>
> User Name: 33333333
>
> Domain: Logon Type: 3
>
> Logon Process: Advapi
>
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> Workstation Name:( server name removed)
>
>
> Alert in Event log: Security
> Type: Audit Failure Date: 3/9/2005
> Time: 04:45 PM Source: Security
> Category: (9): Account Logon Event ID: 681
> User: S-1-5-18
> Description:
> The logon to account: 33333333
>
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> from workstation: (server name removed)
>
> failed. The error code was: 3221225572
>
>
>
Related resources
March 13, 2005 6:37:36 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The accounts never exists in these groupings. I get about 280 with in 5
minutes.

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
> Where are these shown as coming from ?
> Are these for "dumb" account names that often do not exist?
> or are they using the list of actual accounts ?
> --
> Roger
> "Rick" <rick@di-wave.com> wrote in message
> news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
>> I have been getting a large amount of events 529 and 681 every three days
> or
>> so.
>> I get about 280 of these event in about a 5 minute span. Then nothing or
>> 3
>> days or so and then again.
>>
>> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
> only
>> used for web filtering and is behind the firewall. It also have Exchange
>> 2000 SP3 on this server. It had been going fine for about a year and then
>> this started. The system functions fine I was just wondering about this.
>>
>> Any ideas would be most appreciated!!!
>>
>> Thanks in advance,
>>
>> Rick
>>
>> Here are the events in case you need that.
>>
>> Alert in Event log: Security
>> Type: Audit Failure Date: 3/9/2005
>> Time: 04:45 PM Source: Security
>> Category: (2): Logon/Logoff Event ID: 529
>> User: S-1-5-18
>> Description:
>> Logon Failure:
>>
>> Reason: Unknown user name or bad password
>>
>> User Name: 33333333
>>
>> Domain: Logon Type: 3
>>
>> Logon Process: Advapi
>>
>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>
>> Workstation Name:( server name removed)
>>
>>
>> Alert in Event log: Security
>> Type: Audit Failure Date: 3/9/2005
>> Time: 04:45 PM Source: Security
>> Category: (9): Account Logon Event ID: 681
>> User: S-1-5-18
>> Description:
>> The logon to account: 33333333
>>
>> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>
>> from workstation: (server name removed)
>>
>> failed. The error code was: 3221225572
>>
>>
>>
>
>
Anonymous
March 13, 2005 8:41:28 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The events name the machine from which the login attempts
originate. There are tools out there that will hammer on a
system for as long as they are programmed to do, trying to
find username / password combinations that work.
All you have to do is have some exposed authentication
door, like a restricted access website, file shares, etc..
If the machine named is an internal machine, then go to it
and look for infection/malware.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Rick" <rick@di-wave.com> wrote in message
news:%23jmlhWCKFHA.4028@tk2msftngp13.phx.gbl...
> The accounts never exists in these groupings. I get about 280 with in 5
> minutes.
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
> > Where are these shown as coming from ?
> > Are these for "dumb" account names that often do not exist?
> > or are they using the list of actual accounts ?
> > --
> > Roger
> > "Rick" <rick@di-wave.com> wrote in message
> > news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
> >> I have been getting a large amount of events 529 and 681 every three
days
> > or
> >> so.
> >> I get about 280 of these event in about a 5 minute span. Then nothing
or
> >> 3
> >> days or so and then again.
> >>
> >> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
> > only
> >> used for web filtering and is behind the firewall. It also have
Exchange
> >> 2000 SP3 on this server. It had been going fine for about a year and
then
> >> this started. The system functions fine I was just wondering about
this.
> >>
> >> Any ideas would be most appreciated!!!
> >>
> >> Thanks in advance,
> >>
> >> Rick
> >>
> >> Here are the events in case you need that.
> >>
> >> Alert in Event log: Security
> >> Type: Audit Failure Date: 3/9/2005
> >> Time: 04:45 PM Source: Security
> >> Category: (2): Logon/Logoff Event ID: 529
> >> User: S-1-5-18
> >> Description:
> >> Logon Failure:
> >>
> >> Reason: Unknown user name or bad password
> >>
> >> User Name: 33333333
> >>
> >> Domain: Logon Type: 3
> >>
> >> Logon Process: Advapi
> >>
> >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >>
> >> Workstation Name:( server name removed)
> >>
> >>
> >> Alert in Event log: Security
> >> Type: Audit Failure Date: 3/9/2005
> >> Time: 04:45 PM Source: Security
> >> Category: (9): Account Logon Event ID: 681
> >> User: S-1-5-18
> >> Description:
> >> The logon to account: 33333333
> >>
> >> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >>
> >> from workstation: (server name removed)
> >>
> >> failed. The error code was: 3221225572
> >>
> >>
> >>
> >
> >
>
>
March 14, 2005 1:34:23 AM

Archived from groups: microsoft.public.win2000.security (More info?)

That may be helpful I will look into that.

Thanks!!

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uxx$C4CKFHA.3992@TK2MSFTNGP15.phx.gbl...
> The events name the machine from which the login attempts
> originate. There are tools out there that will hammer on a
> system for as long as they are programmed to do, trying to
> find username / password combinations that work.
> All you have to do is have some exposed authentication
> door, like a restricted access website, file shares, etc..
> If the machine named is an internal machine, then go to it
> and look for infection/malware.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Rick" <rick@di-wave.com> wrote in message
> news:%23jmlhWCKFHA.4028@tk2msftngp13.phx.gbl...
>> The accounts never exists in these groupings. I get about 280 with in 5
>> minutes.
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
>> > Where are these shown as coming from ?
>> > Are these for "dumb" account names that often do not exist?
>> > or are they using the list of actual accounts ?
>> > --
>> > Roger
>> > "Rick" <rick@di-wave.com> wrote in message
>> > news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
>> >> I have been getting a large amount of events 529 and 681 every three
> days
>> > or
>> >> so.
>> >> I get about 280 of these event in about a 5 minute span. Then nothing
> or
>> >> 3
>> >> days or so and then again.
>> >>
>> >> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
>> > only
>> >> used for web filtering and is behind the firewall. It also have
> Exchange
>> >> 2000 SP3 on this server. It had been going fine for about a year and
> then
>> >> this started. The system functions fine I was just wondering about
> this.
>> >>
>> >> Any ideas would be most appreciated!!!
>> >>
>> >> Thanks in advance,
>> >>
>> >> Rick
>> >>
>> >> Here are the events in case you need that.
>> >>
>> >> Alert in Event log: Security
>> >> Type: Audit Failure Date: 3/9/2005
>> >> Time: 04:45 PM Source: Security
>> >> Category: (2): Logon/Logoff Event ID: 529
>> >> User: S-1-5-18
>> >> Description:
>> >> Logon Failure:
>> >>
>> >> Reason: Unknown user name or bad password
>> >>
>> >> User Name: 33333333
>> >>
>> >> Domain: Logon Type: 3
>> >>
>> >> Logon Process: Advapi
>> >>
>> >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >>
>> >> Workstation Name:( server name removed)
>> >>
>> >>
>> >> Alert in Event log: Security
>> >> Type: Audit Failure Date: 3/9/2005
>> >> Time: 04:45 PM Source: Security
>> >> Category: (9): Account Logon Event ID: 681
>> >> User: S-1-5-18
>> >> Description:
>> >> The logon to account: 33333333
>> >>
>> >> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >>
>> >> from workstation: (server name removed)
>> >>
>> >> failed. The error code was: 3221225572
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>
>
!