How to find out where user logon attempts are coming from?

• jeudi 22 mars 2012 12:45

   

   
  

  0

  Hi!

  We have a case where I'm getting logon attempts from an account that belonged to our ex-employee that had an administrator status. The person has now left our company and my server's security log is flooded with the Failure audit logon events. The person's account was first disabled and is now deleted.

  There are two error messages I'm seeing on our secondary DC's security event logs:
  

  Event Type: Failure Audit
  Event Source: Security
  Event Category: Account Logon 
  Event ID: 680
  Date: 22.3.2012
  Time: 13:55:36
  User: NT AUTHORITY\SYSTEM
  Computer: SERVERNAME
  Description:
  Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Logon account: useraccount
  Source Workstation:
  Error Code: 0xC000006A
  
  And the second error message:

  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff 
  Event ID: 529
  Date: 22.3.2012
  Time: 13:55:36
  User: NT AUTHORITY\SYSTEM
  Computer: SORVI
  Description:
  Logon Failure:
  Reason: Unknown user name or bad password
  User Name: useraccount
  Domain: OURDOMAIN
  Logon Type: 3
  Logon Process: IAS
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name:
  Caller User Name: SERVERNAME$
  Caller Domain: OURDOMAIN
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 832
  Transited Services: -
  Source Network Address: -
  Source Port: -
  

  Pretty much the only thing I've managed to dig out from these error messages is that the caller process ID refers to svchost.exe.

  The server that's getting the logon attempts is 2003 SP2 and it has roles of 2nd DC and also email server (I know, bad practice but this is due to change). In addition it runs secondary DNS and DHCP services.

  Where should I start looking for the source of the logons? My guess is that this is caused by misconfigured mobile phone still trying to check the email.

  ---

  Mikko Koskenkorva

  • Réponse
  • Citation