×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Suspicious Security Log Entry

Suspicious Security Log Entry

Suspicious Security Log Entry

(OP)



I noticed the following entries in the Security log of one of my Windows Domain Controllers this morning:


Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    681
Date:        5/9/2006
Time:        8:17:26 AM
User:        NT AUTHORITY\SYSTEM
Computer:    DC1
Description:
The logon to account: Administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: OWNER-W5T0
 failed. The error code was: 3221225578

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    681
Date:        5/9/2006
Time:        8:17:25 AM
User:        NT AUTHORITY\SYSTEM
Computer:    DC1
Description:
The logon to account: Administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: OWNER-W5T0
 failed. The error code was: 3221225578
 
 

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Logon/Logoff
Event ID:    529
Date:        5/9/2006
Time:        8:17:25 AM
User:        NT AUTHORITY\SYSTEM
Computer:    DC1
Description:
Logon Failure:
     Reason:        Unknown user name or bad password
     User Name:    Administrator
     Domain:        OWNER-W5T0
     Logon Type:    3
     Logon Process:    NtLmSsp
     Authentication Package:    NTLM
     Workstation Name:    OWNER-W5T0  



The workstation name is not one of a known machine on my network, nor am I able to ping or find any DNS info regarding this workstation.

My question is two-fold:

1.  My domain name is corp.com.   Why would my domain controller log an invalid attempt to log onto the Administrator account for an unknown domain(See event 529 below)?

2.  What are the some methods to detect rogue machines on the network?










RE: Suspicious Security Log Entry

Do you use DHCP? If so take a look to see if there is a lease with that name, it's possible that someone has bought in a laptop and pluged it into your network or connected wirelessly if you use it.

RE: Suspicious Security Log Entry

(OP)
We do not use DHCP.  Static only.

RE: Suspicious Security Log Entry

Unless you start seeing this frequently i wouldn't worry i get it occasionally and it's caused by laptops when the user logs on locally.

-----------------------------------------------------------
From MS

Windows will generate event ID 529 if the machine environment meets the following criteria:

The machine is running Windows XP
The machine is a member of a domain
The machine is using a machine local account
You've enabled logon failure auditing

When the user logs off, Windows will write event ID 529 to the log file because the OS incorrectly tries to contact the domain controller (DC), despite the fact that the machine is using a local account. Microsoft currently doesn't provide a fix for this problem, but you can safely ignore this event ID.


The error code was: 3221225578 The username is correct, but the password is wrong.
 

RE: Suspicious Security Log Entry

It sounds as if a computer is on your network and not a member of your domain, and someone is attempting to access resources.  Since you use fixed IP addresses, then you can create a simple batch file that pings all the unused addresses in your subnet and echo's the results to a batch file.  A simple search for the phrase "reply from" will get you to the entry for the IP address that is being used.

@echo off
rem create/recreate file
echo find the culprit >c:\culprit.txt
rem send a single ping to each ip and append
ping -n 1 192.168.1.1 >>c:\culprit.txt
ping -n 1 192.168.1.2 >>c:\culprit.txt
rem 192.168.1.3 in use
ping -n 1 192.168.1.4 >>c:\culprit.txt
...

Start, Help.  You'll be surprised what's there.  A+/MCP/MCSE/MCDBA

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close