Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Event Log: Failed Audit

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 15-10-2006
Tom
 
Posts: n/a
Event Log: Failed Audit

Win2K3 SP1 SBS

I am seeing several (!) Failed Audits in my Security Event Log. Most of
them look like this:
Logon failure:
Reason: Unknown user name or bad password
Username: Administrator
Domain: MyIntranetDomainName
Logon Type: 8
Logon Process: IIS
Authentication Package: Microsoft Authentication Package v1.0
Workstation Name: MyServerWorkstation
Caller Username: MyServerWorkstation$ [Note: $ at the end]
Caller Domain: MyIntranetDomainName
Caller LogonID: (0x0, 0x3E7)
Caller ProcessID: 1276
Transited Services: -
Source Network address: -
Source Port -

Can someone explain what this means? If we're receiving attempts to access
our system what counter measures should we take? We are up to date on ALL
(including THE most recent) MS updates and we have a very long complex
password.
TIA

Reply With Quote
  #2  
Old 15-10-2006
Dave Patrick
 
Posts: n/a
Re: Event Log: Failed Audit

These articles may help.

http://support.microsoft.com/default...b;en-us;287537
http://support.microsoft.com/default...b;en-us;326985

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Tom" wrote:
| Win2K3 SP1 SBS
|
| I am seeing several (!) Failed Audits in my Security Event Log. Most of
| them look like this:
| Logon failure:
| Reason: Unknown user name or bad password
| Username: Administrator
| Domain: MyIntranetDomainName
| Logon Type: 8
| Logon Process: IIS
| Authentication Package: Microsoft Authentication Package v1.0
| Workstation Name: MyServerWorkstation
| Caller Username: MyServerWorkstation$ [Note: $ at the end]
| Caller Domain: MyIntranetDomainName
| Caller LogonID: (0x0, 0x3E7)
| Caller ProcessID: 1276
| Transited Services: -
| Source Network address: -
| Source Port -
|
| Can someone explain what this means? If we're receiving attempts to
access
| our system what counter measures should we take? We are up to date on ALL
| (including THE most recent) MS updates and we have a very long complex
| password.
| TIA


Reply With Quote
  #3  
Old 16-10-2006
Kevin D. Goodknecht Sr. [MVP]
 
Posts: n/a
Re: Event Log: Failed Audit

Tom wrote:
> Win2K3 SP1 SBS
>
> I am seeing several (!) Failed Audits in my Security Event Log. Most
> of them look like this:
> Logon failure:
> Reason: Unknown user name or bad password
> Username: Administrator
> Domain: MyIntranetDomainName
> Logon Type: 8
> Logon Process: IIS
> Authentication Package: Microsoft Authentication Package v1.0
> Workstation Name: MyServerWorkstation
> Caller Username: MyServerWorkstation$ [Note: $ at the end]
> Caller Domain: MyIntranetDomainName
> Caller LogonID: (0x0, 0x3E7)
> Caller ProcessID: 1276
> Transited Services: -
> Source Network address: -
> Source Port -
>
> Can someone explain what this means? If we're receiving attempts to
> access our system what counter measures should we take? We are up to
> date on ALL (including THE most recent) MS updates and we have a very
> long complex password.
> TIA


This is likely someone trying to gain access to the FTP server by trying to
guess the username password, in this case it is the Built in Administrator.
A check of the FTP server's logfiles will verify this.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


Reply With Quote
  #4  
Old 09-01-2007
mrecomm101
 
Posts: n/a
Re: Event Log: Failed Audit

Kevin,

I am experiencing the same issue. To troubleshoot, I stopped every website
and every FTP site within my IIS (6.0) -- and I'm still getting the failed
logon attempts. How can they be acheiving this when all sites are stopped,
including AppPools?

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Win2K3 SP1 SBS
> >
> > I am seeing several (!) Failed Audits in my Security Event Log. Most
> > of them look like this:
> > Logon failure:
> > Reason: Unknown user name or bad password
> > Username: Administrator
> > Domain: MyIntranetDomainName
> > Logon Type: 8
> > Logon Process: IIS
> > Authentication Package: Microsoft Authentication Package v1.0
> > Workstation Name: MyServerWorkstation
> > Caller Username: MyServerWorkstation$ [Note: $ at the end]
> > Caller Domain: MyIntranetDomainName
> > Caller LogonID: (0x0, 0x3E7)
> > Caller ProcessID: 1276
> > Transited Services: -
> > Source Network address: -
> > Source Port -
> >
> > Can someone explain what this means? If we're receiving attempts to
> > access our system what counter measures should we take? We are up to
> > date on ALL (including THE most recent) MS updates and we have a very
> > long complex password.
> > TIA

>
> This is likely someone trying to gain access to the FTP server by trying to
> guess the username password, in this case it is the Built in Administrator.
> A check of the FTP server's logfiles will verify this.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #5  
Old 09-01-2007
mrecomm101
 
Posts: n/a
Re: Event Log: Failed Audit

Sorry Kevin, it was a backlog of email notifications that was occuring. Still
curious as to getting a straightforward answer on how to stop these types of
attacks.

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Win2K3 SP1 SBS
> >
> > I am seeing several (!) Failed Audits in my Security Event Log. Most
> > of them look like this:
> > Logon failure:
> > Reason: Unknown user name or bad password
> > Username: Administrator
> > Domain: MyIntranetDomainName
> > Logon Type: 8
> > Logon Process: IIS
> > Authentication Package: Microsoft Authentication Package v1.0
> > Workstation Name: MyServerWorkstation
> > Caller Username: MyServerWorkstation$ [Note: $ at the end]
> > Caller Domain: MyIntranetDomainName
> > Caller LogonID: (0x0, 0x3E7)
> > Caller ProcessID: 1276
> > Transited Services: -
> > Source Network address: -
> > Source Port -
> >
> > Can someone explain what this means? If we're receiving attempts to
> > access our system what counter measures should we take? We are up to
> > date on ALL (including THE most recent) MS updates and we have a very
> > long complex password.
> > TIA

>
> This is likely someone trying to gain access to the FTP server by trying to
> guess the username password, in this case it is the Built in Administrator.
> A check of the FTP server's logfiles will verify this.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
  #6  
Old 09-01-2007
mrecomm101
 
Posts: n/a
Re: Event Log: Failed Audit

Kevin,

I found my security hole. All my FTP sites are "denied Access except these
IPs...", except for one that was set to default "grant access to all". That
weas the one being attacked.

Hope this helps others. Thanks!

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Win2K3 SP1 SBS
> >
> > I am seeing several (!) Failed Audits in my Security Event Log. Most
> > of them look like this:
> > Logon failure:
> > Reason: Unknown user name or bad password
> > Username: Administrator
> > Domain: MyIntranetDomainName
> > Logon Type: 8
> > Logon Process: IIS
> > Authentication Package: Microsoft Authentication Package v1.0
> > Workstation Name: MyServerWorkstation
> > Caller Username: MyServerWorkstation$ [Note: $ at the end]
> > Caller Domain: MyIntranetDomainName
> > Caller LogonID: (0x0, 0x3E7)
> > Caller ProcessID: 1276
> > Transited Services: -
> > Source Network address: -
> > Source Port -
> >
> > Can someone explain what this means? If we're receiving attempts to
> > access our system what counter measures should we take? We are up to
> > date on ALL (including THE most recent) MS updates and we have a very
> > long complex password.
> > TIA

>
> This is likely someone trying to gain access to the FTP server by trying to
> guess the username password, in this case it is the Built in Administrator.
> A check of the FTP server's logfiles will verify this.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags:



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Event Log: Failed Audit"
Thread Thread Starter Forum Replies Last Post
Event ID: 5038 Microsoft Security Essentials Security Log Audit Failure Aleeza Networking & Security 5 28-10-2010 07:23 PM
Security Failure Audit Account Logon Event ID 675 Itsme Active Directory 1 01-06-2009 05:53 PM
Failure Audit - Logon/Logoff - Event ID 529 Actionguy Windows Security 2 28-01-2009 09:33 PM
Security Audit Failure (Event Viewer) tcpip.sys hash not valid/cor artfuldodga Vista Help 4 20-11-2008 01:13 AM
event: 566 Object Access Audit Failure maratha Active Directory 1 14-02-2008 05:04 PM


All times are GMT +5.5. The time now is 02:57 PM.