Security Event Log Failure Audit 681

mark

Distinguished
Mar 30, 2004
2,613
0
20,780
Archived from groups: microsoft.public.win2000.security (More info?)

We have been getting 100's of these Failure Audit logs on a daily
basis in our security event log for the past couple weeks. They are
showing up on our win 2000 sp4 application/database server. The user
is a current domain user but not a local user on the server. The
workstation however is not in our domain. What is bothering me is
that is trying to login from a machine that has the same name as a
current user. I have scanned for viruses and spyware on both the
server and the user's workstation, but came up empty on both searches.

The server is part of a 2000 domain and the user logs into a NT
domain. The user doesn't have a mapped drive to the server, but
accesses our main application that resides on the server on a daily
basis.

Below is an example of what we have been seeing.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 6/11/2004
Time: 6:12:17 AM
User: NT AUTHORITY\SYSTEM
Computer: Server-1 <---(Application/DB server)
Description:
The logon to account: NICKH <---(current user)
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: \\NICKH <---(not a current workstation)
failed. The error code was: 3221225572

Thanks in advance for any advise,
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Although I can't offer any advice on this, the same thing
started happening to me yesterday on our network. We are
running Windows 2000 Advanced Server SP4 and I noted
yesterday a little over 2,000 entries in the security log
in our event viewer on the server within a 20-30 minute
time period. The Event ID is 681 just as you reported
with a slightly different error code (I'm also getting
error code 529 in the event viewer logs as well).
However, the logon account/user name is the network
administrator name that I created when I set up the
server, but the domain and the workstation name are the
same names which ARE NOT names that I have used on the
network at any point in time. Today, I received a little
over 1,000 attempts with a different domain and
workstation name. The weird thing is that this is
happening around the same time - in the morning around 9
AM or so until 11 AM. The attempts are repeated and then
they stop.

I have Norton's Anti-virus installed and updated and it
has found no threats.

I have not found any reason that this is occurring at this
point, but it seems similar to what is happening with your
server.

If I come across a solution, I'll certainly post it here.
Does anyone else have any clue to what might be happening?




>-----Original Message-----
>We have been getting 100's of these Failure Audit logs on
a daily
>basis in our security event log for the past couple
weeks. They are
>showing up on our win 2000 sp4 application/database
server. The user
>is a current domain user but not a local user on the
server. The
>workstation however is not in our domain. What is
bothering me is
>that is trying to login from a machine that has the same
name as a
>current user. I have scanned for viruses and spyware on
both the
>server and the user's workstation, but came up empty on
both searches.
>
>The server is part of a 2000 domain and the user logs
into a NT
>domain. The user doesn't have a mapped drive to the
server, but
>accesses our main application that resides on the server
on a daily
>basis.
>
>Below is an example of what we have been seeing.
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Account Logon
>Event ID: 681
>Date: 6/11/2004
>Time: 6:12:17 AM
>User: NT AUTHORITY\SYSTEM
>Computer: Server-1 <---(Application/DB server)
>Description:
>The logon to account: NICKH <---(current user)
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: \\NICKH <---(not a current
workstation)
> failed. The error code was: 3221225572
>
>Thanks in advance for any advise,
>.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

That sounds like a hack attempt on the administrator account using computers
from possibly the internet. I would check your firewall configuration to make
sure it is correct. The best way is to try and scan your network from the
outside. Another alternative is to try a self scan site such as
http://scan.sygatetech.com/ . You should have file and print sharing disabled on
any network adapted connected directly to the internet. Looking in your firewall
logs for traffic at the time of the failed logons may help in determining if a
hack is coming from the internet and what ports are used. Of course you want
your firewall device and server times right on synch. --- Steve


"Michele" <vnachs@supernet.com> wrote in message
news:24db401c45fbc$5dbb8fc0$a401280a@phx.gbl...
> Although I can't offer any advice on this, the same thing
> started happening to me yesterday on our network. We are
> running Windows 2000 Advanced Server SP4 and I noted
> yesterday a little over 2,000 entries in the security log
> in our event viewer on the server within a 20-30 minute
> time period. The Event ID is 681 just as you reported
> with a slightly different error code (I'm also getting
> error code 529 in the event viewer logs as well).
> However, the logon account/user name is the network
> administrator name that I created when I set up the
> server, but the domain and the workstation name are the
> same names which ARE NOT names that I have used on the
> network at any point in time. Today, I received a little
> over 1,000 attempts with a different domain and
> workstation name. The weird thing is that this is
> happening around the same time - in the morning around 9
> AM or so until 11 AM. The attempts are repeated and then
> they stop.
>
> I have Norton's Anti-virus installed and updated and it
> has found no threats.
>
> I have not found any reason that this is occurring at this
> point, but it seems similar to what is happening with your
> server.
>
> If I come across a solution, I'll certainly post it here.
> Does anyone else have any clue to what might be happening?
>
>
>
>
> >-----Original Message-----
> >We have been getting 100's of these Failure Audit logs on
> a daily
> >basis in our security event log for the past couple
> weeks. They are
> >showing up on our win 2000 sp4 application/database
> server. The user
> >is a current domain user but not a local user on the
> server. The
> >workstation however is not in our domain. What is
> bothering me is
> >that is trying to login from a machine that has the same
> name as a
> >current user. I have scanned for viruses and spyware on
> both the
> >server and the user's workstation, but came up empty on
> both searches.
> >
> >The server is part of a 2000 domain and the user logs
> into a NT
> >domain. The user doesn't have a mapped drive to the
> server, but
> >accesses our main application that resides on the server
> on a daily
> >basis.
> >
> >Below is an example of what we have been seeing.
> >
> >Event Type: Failure Audit
> >Event Source: Security
> >Event Category: Account Logon
> >Event ID: 681
> >Date: 6/11/2004
> >Time: 6:12:17 AM
> >User: NT AUTHORITY\SYSTEM
> >Computer: Server-1 <---(Application/DB server)
> >Description:
> >The logon to account: NICKH <---(current user)
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: \\NICKH <---(not a current
> workstation)
> > failed. The error code was: 3221225572
> >
> >Thanks in advance for any advise,
> >.
> >