Event 529 and 681

Archived from groups: microsoft.public.win2000.security (More info?)

I have been getting a large amount of events 529 and 681 every three days or
so.
I get about 280 of these event in about a 5 minute span. Then nothing or 3
days or so and then again.

The server is ISA with N2H2 on it. The ISA is in Cache mode only it is only
used for web filtering and is behind the firewall. It also have Exchange
2000 SP3 on this server. It had been going fine for about a year and then
this started. The system functions fine I was just wondering about this.

Any ideas would be most appreciated!!!

Thanks in advance,

Rick

Here are the events in case you need that.

Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (2): Logon/Logoff Event ID: 529
User: S-1-5-18
Description:
Logon Failure:

Reason: Unknown user name or bad password

User Name: 33333333

Domain: Logon Type: 3

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name:(server name removed)


Alert in Event log: Security
Type: Audit Failure Date: 3/9/2005
Time: 04:45 PM Source: Security
Category: (9): Account Logon Event ID: 681
User: S-1-5-18
Description:
The logon to account: 33333333

by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

from workstation: (server name removed)

failed. The error code was: 3221225572
5 answers Last reply
More about event
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    ----------------
    Event ID 529
    ----------------

    http://www.eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1

    http://support.microsoft.com/default.aspx?scid=kb;en-us;159792
    http://support.microsoft.com/default.aspx?scid=kb;en-us;159969
    http://support.microsoft.com/default.aspx?scid=kb;en-us;171148
    http://support.microsoft.com/default.aspx?scid=kb;en-us;172402
    http://support.microsoft.com/default.aspx?scid=kb;en-us;174073
    http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
    http://support.microsoft.com/default.aspx?scid=kb;en-us;238372
    http://support.microsoft.com/default.aspx?scid=kb;en-us;239869
    http://support.microsoft.com/default.aspx?scid=kb;en-us;272594
    http://support.microsoft.com/default.aspx?scid=kb;en-us;287639
    http://support.microsoft.com/default.aspx?scid=kb;en-us;290706
    http://support.microsoft.com/default.aspx?scid=kb;en-us;299352
    http://support.microsoft.com/default.aspx?scid=kb;en-us;305822
    http://support.microsoft.com/default.aspx?scid=kb;en-us;312827
    http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
    http://support.microsoft.com/default.aspx?scid=kb;en-us;328720
    http://support.microsoft.com/default.aspx?scid=kb;en-us;811082
    http://support.microsoft.com/default.aspx?scid=kb;en-us;824209
    http://support.microsoft.com/default.aspx?scid=kb;en-us;890477

    ----------------
    Event ID 681
    ----------------

    http://www.eventid.net/display.asp?eventid=681&eventno=3&source=Security&phase=1

    http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
    http://support.microsoft.com/default.aspx?scid=kb;en-us;272594
    http://support.microsoft.com/default.aspx?scid=kb;en-us;273499
    http://support.microsoft.com/default.aspx?scid=kb;en-us;287626
    http://support.microsoft.com/default.aspx?scid=kb;en-us;297989
    http://support.microsoft.com/default.aspx?scid=kb;en-us;321448
    http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
    http://support.microsoft.com/default.aspx?scid=kb;en-us;824209
    http://support.microsoft.com/default.aspx?scid=kb;en-us;837142


    Austin M. Horst
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Where are these shown as coming from ?
    Are these for "dumb" account names that often do not exist?
    or are they using the list of actual accounts ?
    --
    Roger
    "Rick" <rick@di-wave.com> wrote in message
    news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
    > I have been getting a large amount of events 529 and 681 every three days
    or
    > so.
    > I get about 280 of these event in about a 5 minute span. Then nothing or 3
    > days or so and then again.
    >
    > The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
    only
    > used for web filtering and is behind the firewall. It also have Exchange
    > 2000 SP3 on this server. It had been going fine for about a year and then
    > this started. The system functions fine I was just wondering about this.
    >
    > Any ideas would be most appreciated!!!
    >
    > Thanks in advance,
    >
    > Rick
    >
    > Here are the events in case you need that.
    >
    > Alert in Event log: Security
    > Type: Audit Failure Date: 3/9/2005
    > Time: 04:45 PM Source: Security
    > Category: (2): Logon/Logoff Event ID: 529
    > User: S-1-5-18
    > Description:
    > Logon Failure:
    >
    > Reason: Unknown user name or bad password
    >
    > User Name: 33333333
    >
    > Domain: Logon Type: 3
    >
    > Logon Process: Advapi
    >
    > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >
    > Workstation Name:(server name removed)
    >
    >
    > Alert in Event log: Security
    > Type: Audit Failure Date: 3/9/2005
    > Time: 04:45 PM Source: Security
    > Category: (9): Account Logon Event ID: 681
    > User: S-1-5-18
    > Description:
    > The logon to account: 33333333
    >
    > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >
    > from workstation: (server name removed)
    >
    > failed. The error code was: 3221225572
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    The accounts never exists in these groupings. I get about 280 with in 5
    minutes.

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
    > Where are these shown as coming from ?
    > Are these for "dumb" account names that often do not exist?
    > or are they using the list of actual accounts ?
    > --
    > Roger
    > "Rick" <rick@di-wave.com> wrote in message
    > news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
    >> I have been getting a large amount of events 529 and 681 every three days
    > or
    >> so.
    >> I get about 280 of these event in about a 5 minute span. Then nothing or
    >> 3
    >> days or so and then again.
    >>
    >> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
    > only
    >> used for web filtering and is behind the firewall. It also have Exchange
    >> 2000 SP3 on this server. It had been going fine for about a year and then
    >> this started. The system functions fine I was just wondering about this.
    >>
    >> Any ideas would be most appreciated!!!
    >>
    >> Thanks in advance,
    >>
    >> Rick
    >>
    >> Here are the events in case you need that.
    >>
    >> Alert in Event log: Security
    >> Type: Audit Failure Date: 3/9/2005
    >> Time: 04:45 PM Source: Security
    >> Category: (2): Logon/Logoff Event ID: 529
    >> User: S-1-5-18
    >> Description:
    >> Logon Failure:
    >>
    >> Reason: Unknown user name or bad password
    >>
    >> User Name: 33333333
    >>
    >> Domain: Logon Type: 3
    >>
    >> Logon Process: Advapi
    >>
    >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >>
    >> Workstation Name:(server name removed)
    >>
    >>
    >> Alert in Event log: Security
    >> Type: Audit Failure Date: 3/9/2005
    >> Time: 04:45 PM Source: Security
    >> Category: (9): Account Logon Event ID: 681
    >> User: S-1-5-18
    >> Description:
    >> The logon to account: 33333333
    >>
    >> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >>
    >> from workstation: (server name removed)
    >>
    >> failed. The error code was: 3221225572
    >>
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    The events name the machine from which the login attempts
    originate. There are tools out there that will hammer on a
    system for as long as they are programmed to do, trying to
    find username / password combinations that work.
    All you have to do is have some exposed authentication
    door, like a restricted access website, file shares, etc..
    If the machine named is an internal machine, then go to it
    and look for infection/malware.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Rick" <rick@di-wave.com> wrote in message
    news:%23jmlhWCKFHA.4028@tk2msftngp13.phx.gbl...
    > The accounts never exists in these groupings. I get about 280 with in 5
    > minutes.
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
    > > Where are these shown as coming from ?
    > > Are these for "dumb" account names that often do not exist?
    > > or are they using the list of actual accounts ?
    > > --
    > > Roger
    > > "Rick" <rick@di-wave.com> wrote in message
    > > news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
    > >> I have been getting a large amount of events 529 and 681 every three
    days
    > > or
    > >> so.
    > >> I get about 280 of these event in about a 5 minute span. Then nothing
    or
    > >> 3
    > >> days or so and then again.
    > >>
    > >> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
    > > only
    > >> used for web filtering and is behind the firewall. It also have
    Exchange
    > >> 2000 SP3 on this server. It had been going fine for about a year and
    then
    > >> this started. The system functions fine I was just wondering about
    this.
    > >>
    > >> Any ideas would be most appreciated!!!
    > >>
    > >> Thanks in advance,
    > >>
    > >> Rick
    > >>
    > >> Here are the events in case you need that.
    > >>
    > >> Alert in Event log: Security
    > >> Type: Audit Failure Date: 3/9/2005
    > >> Time: 04:45 PM Source: Security
    > >> Category: (2): Logon/Logoff Event ID: 529
    > >> User: S-1-5-18
    > >> Description:
    > >> Logon Failure:
    > >>
    > >> Reason: Unknown user name or bad password
    > >>
    > >> User Name: 33333333
    > >>
    > >> Domain: Logon Type: 3
    > >>
    > >> Logon Process: Advapi
    > >>
    > >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > >>
    > >> Workstation Name:(server name removed)
    > >>
    > >>
    > >> Alert in Event log: Security
    > >> Type: Audit Failure Date: 3/9/2005
    > >> Time: 04:45 PM Source: Security
    > >> Category: (9): Account Logon Event ID: 681
    > >> User: S-1-5-18
    > >> Description:
    > >> The logon to account: 33333333
    > >>
    > >> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > >>
    > >> from workstation: (server name removed)
    > >>
    > >> failed. The error code was: 3221225572
    > >>
    > >>
    > >>
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    That may be helpful I will look into that.

    Thanks!!

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uxx$C4CKFHA.3992@TK2MSFTNGP15.phx.gbl...
    > The events name the machine from which the login attempts
    > originate. There are tools out there that will hammer on a
    > system for as long as they are programmed to do, trying to
    > find username / password combinations that work.
    > All you have to do is have some exposed authentication
    > door, like a restricted access website, file shares, etc..
    > If the machine named is an internal machine, then go to it
    > and look for infection/malware.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Rick" <rick@di-wave.com> wrote in message
    > news:%23jmlhWCKFHA.4028@tk2msftngp13.phx.gbl...
    >> The accounts never exists in these groupings. I get about 280 with in 5
    >> minutes.
    >>
    >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> news:%237aUwd%23JFHA.580@TK2MSFTNGP15.phx.gbl...
    >> > Where are these shown as coming from ?
    >> > Are these for "dumb" account names that often do not exist?
    >> > or are they using the list of actual accounts ?
    >> > --
    >> > Roger
    >> > "Rick" <rick@di-wave.com> wrote in message
    >> > news:eZGWTSyJFHA.3340@TK2MSFTNGP14.phx.gbl...
    >> >> I have been getting a large amount of events 529 and 681 every three
    > days
    >> > or
    >> >> so.
    >> >> I get about 280 of these event in about a 5 minute span. Then nothing
    > or
    >> >> 3
    >> >> days or so and then again.
    >> >>
    >> >> The server is ISA with N2H2 on it. The ISA is in Cache mode only it is
    >> > only
    >> >> used for web filtering and is behind the firewall. It also have
    > Exchange
    >> >> 2000 SP3 on this server. It had been going fine for about a year and
    > then
    >> >> this started. The system functions fine I was just wondering about
    > this.
    >> >>
    >> >> Any ideas would be most appreciated!!!
    >> >>
    >> >> Thanks in advance,
    >> >>
    >> >> Rick
    >> >>
    >> >> Here are the events in case you need that.
    >> >>
    >> >> Alert in Event log: Security
    >> >> Type: Audit Failure Date: 3/9/2005
    >> >> Time: 04:45 PM Source: Security
    >> >> Category: (2): Logon/Logoff Event ID: 529
    >> >> User: S-1-5-18
    >> >> Description:
    >> >> Logon Failure:
    >> >>
    >> >> Reason: Unknown user name or bad password
    >> >>
    >> >> User Name: 33333333
    >> >>
    >> >> Domain: Logon Type: 3
    >> >>
    >> >> Logon Process: Advapi
    >> >>
    >> >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >> >>
    >> >> Workstation Name:(server name removed)
    >> >>
    >> >>
    >> >> Alert in Event log: Security
    >> >> Type: Audit Failure Date: 3/9/2005
    >> >> Time: 04:45 PM Source: Security
    >> >> Category: (9): Account Logon Event ID: 681
    >> >> User: S-1-5-18
    >> >> Description:
    >> >> The logon to account: 33333333
    >> >>
    >> >> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >> >>
    >> >> from workstation: (server name removed)
    >> >>
    >> >> failed. The error code was: 3221225572
    >> >>
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
Ask a new question

Read More

Windows