Hi there,
We have recently taken on a new customer who has a Windows 2003 SBS server
After setting up all of our automated alerting, we found the following alerts ...
**************************************************************
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/03/2014
Time: 10:37:24
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: test
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain:
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1780
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************************************************
The server in this case is called 'SERVER' and the domain noted in the log is the customers domain.
There are a series of these alerts happening every 30mins and they appear to be brute force, as the user name noted is working through alphabetically from A - Z
- See user noted above being 'TEST' in this log
I have tried looking online, but cannot find anything specific relating to ...
Event ID: 529
Logon Type: 3
Logon Process: Advapi
Caller Process ID: 1780
Has anyone seen anything like this before and, or know where to begin diagnosing this?
Any help greatly appreciated