Numerous Windows 2003 Security Log Event from Event ID 529

27385 pts.
Tags:
Event ID 529
Microsoft Windows Server 2003
Security logs
Windows Server Security
Our website was recently hijacked, and in viewing the Security log I get the following Security Log Event roughly 3 times every 10 minutes:
Date:  12/10/2008  Source: Security
Time:  1:50:00 PM  Category: Logon/Logoff
Type:  Failure Aud  Event ID: 529
User:  NT AUTHORITYSYSTEM
Computer: SERVER_NAME

Description:
Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	Administrator
 	Domain:		SERVER_NAME
 	Logon Type:	4
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	SERVER_NAME
 	Caller User Name:	SERVER_NAME$
 	Caller Domain:	DOMAIN_NAME
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	1176
 	Transited Services:	-
 	Source Network Address:	-
 	Source Port:	-
The server is Server 2003 Standard using IIS. My virus scan doesn't find anything. Does anybody else know how to stop these events?

Answer Wiki

Thanks. We'll let you know when a new response is added.

These are simple failure audits of a hacker trying different password combinations. Do you have a firewall running? If so find the IP address of the attacker and deny them access.

You can also change the name of the administrator account to something like randomname and then create a administrator account with no access and disabled.

Are you on a hosted machine or is this your box?

If you do not have a firewall you can use netstat to find the connecting IP address and still block the address via windows as follows:

If you dont have control over a router or firewall you can block IP’s at the server via Windows.

Click ‘Start’ > ‘Run’ >type ‘MMC’ press ok.

In the console click > ‘File’ > ‘Add/Remove Snap in’

In the ‘Standalone Tab’ click The ‘add’ button

Seclect ‘IP Security Policy Managment’ > ‘ADD’ > ‘Local Computer’ > ‘finish’ > ‘close’ > ‘ok’

You should now be back to the console.

In the left frame right click ‘IP security policies on local computer’ > ‘Create IP security policy’

Click Next and then name your policy ‘Block IP’ and type a description.

Click ‘Next’ then leave ‘activate’ ticked then click ‘Next’

leave the ‘edit properties ticked and click ‘Finish’

You should now have the properties window open.

Click ‘ADD’ then click ‘Next’ to continue.

Leave ‘This rule does not specify a tunnel’ selected and click ‘next’

Leave ‘all network connections’ selected and click ‘next’

You should now be on the IP filter list. You need to create a new filter, so dont select any of the default ones. Click ‘ADD’

Type a Name for your list, call it ‘IP block list’
Type a description in, can be same as name.
Click ‘ADD’ then click ‘Next’ to continue.

In the description box type a description. As its the first IP you are blocking call it ‘IP1′ or ‘IP Range 1′
Leave ticked the ‘Mirrored. Match packets with the exact opposite source and destination addresses’
Click ‘Next’

The ‘Source address’ should be left as ‘My IP address’ click ‘Next’

You can now select ‘A Specific IP address’ or ‘A Specific Subnet’ for the Destination address.
Type in the IP address you want to block and if blocking a subnet type in the subnet block. Click ‘next’

Leave the protocol type as ‘Any’ and click ‘Next’ and then ‘Finish’

You have now blocked your first IP or IP range.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following