Suspicious Security Log Entry

[sohtnax]

I noticed the following entries in the Security log of one of my Windows Domain Controllers this morning:


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 5/9/2006
Time: 8:17:26 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: OWNER-W5T0
failed. The error code was: 3221225578

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 5/9/2006
Time: 8:17:25 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: OWNER-W5T0
failed. The error code was: 3221225578



Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/9/2006
Time: 8:17:25 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: OWNER-W5T0
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: OWNER-W5T0



The workstation name is not one of a known machine on my network, nor am I able to ping or find any DNS info regarding this workstation.

My question is two-fold:

1. My domain name is corp.com. Why would my domain controller log an invalid attempt to log onto the Administrator account for an unknown domain(See event 529 below)?

2. What are the some methods to detect rogue machines on the network?

 

[porkchopexpress]

Do you use DHCP? If so take a look to see if there is a lease with that name, it's possible that someone has bought in a laptop and pluged it into your network or connected wirelessly if you use it.

 

[sohtnax]

We do not use DHCP. Static only.

 

[porkchopexpress]

Unless you start seeing this frequently i wouldn't worry i get it occasionally and it's caused by laptops when the user logs on locally.

-----------------------------------------------------------
From MS

Windows will generate event ID 529 if the machine environment meets the following criteria:

The machine is running Windows XP
The machine is a member of a domain
The machine is using a machine local account
You've enabled logon failure auditing

When the user logs off, Windows will write event ID 529 to the log file because the OS incorrectly tries to contact the domain controller (DC), despite the fact that the machine is using a local account. Microsoft currently doesn't provide a fix for this problem, but you can safely ignore this event ID.


The error code was: 3221225578 The username is correct, but the password is wrong.

 

[Seaspray0]

It sounds as if a computer is on your network and not a member of your domain, and someone is attempting to access resources. Since you use fixed IP addresses, then you can create a simple batch file that pings all the unused addresses in your subnet and echo's the results to a batch file. A simple search for the phrase "reply from" will get you to the entry for the IP address that is being used.

@echo off
rem create/recreate file
echo find the culprit >c:\culprit.txt
rem send a single ping to each ip and append
ping -n 1 192.168.1.1 >>c:\culprit.txt
ping -n 1 192.168.1.2 >>c:\culprit.txt
rem 192.168.1.3 in use
ping -n 1 192.168.1.4 >>c:\culprit.txt
...


Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA