Numerous Windows 2003 Security Log Event from Event ID 529
Our website was recently hijacked, and in viewing the Security log I get the following Security Log Event roughly 3 times every 10 minutes:
Software/Hardware used:
Date: 12/10/2008 Source: Security Time: 1:50:00 PM Category: Logon/Logoff Type: Failure Aud Event ID: 529 User: NT AUTHORITYSYSTEM Computer: SERVER_NAME Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: SERVER_NAME Logon Type: 4 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: SERVER_NAME Caller User Name: SERVER_NAME$ Caller Domain: DOMAIN_NAME Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1176 Transited Services: - Source Network Address: - Source Port: -The server is Server 2003 Standard using IIS. My virus scan doesn't find anything. Does anybody else know how to stop these events?
Software/Hardware used:
ASKED:
December 10, 2008 10:03 PM
UPDATED:
December 12, 2008 5:13 PM
Answer Wiki:
These are simple failure audits of a hacker trying different password combinations. Do you have a firewall running? If so find the IP address of the attacker and deny them access.
You can also change the name of the administrator account to something like randomname and then create a administrator account with no access and disabled.
Are you on a hosted machine or is this your box?
If you do not have a firewall you can use netstat to find the connecting IP address and still block the address via windows as follows:
If you dont have control over a router or firewall you can block IP's at the server via Windows.
Click 'Start' > 'Run' >type 'MMC' press ok.
In the console click > 'File' > 'Add/Remove Snap in'
In the 'Standalone Tab' click The 'add' button
Seclect 'IP Security Policy Managment' > 'ADD' > 'Local Computer' > 'finish' > 'close' > 'ok'
You should now be back to the console.
In the left frame right click 'IP security policies on local computer' > 'Create IP security policy'
Click Next and then name your policy 'Block IP' and type a description.
Click 'Next' then leave 'activate' ticked then click 'Next'
leave the 'edit properties ticked and click 'Finish'
You should now have the properties window open.
Click 'ADD' then click 'Next' to continue.
Leave 'This rule does not specify a tunnel' selected and click 'next'
Leave 'all network connections' selected and click 'next'
You should now be on the IP filter list. You need to create a new filter, so dont select any of the default ones. Click 'ADD'
Type a Name for your list, call it 'IP block list'
Type a description in, can be same as name.
Click 'ADD' then click 'Next' to continue.
In the description box type a description. As its the first IP you are blocking call it 'IP1' or 'IP Range 1'
Leave ticked the 'Mirrored. Match packets with the exact opposite source and destination addresses'
Click 'Next'
The 'Source address' should be left as 'My IP address' click 'Next'
You can now select 'A Specific IP address' or 'A Specific Subnet' for the Destination address.
Type in the IP address you want to block and if blocking a subnet type in the subnet block. Click 'next'
Leave the protocol type as 'Any' and click 'Next' and then 'Finish'
You have now blocked your first IP or IP range.
To see all answers submitted to the Answer Wiki: View Answer History.
For future reference, here’s a great site for researching Event IDs. Hope this helps.