none
How to find out where user logon attempts are coming from?

    Question

  • Hi!

    We have a case where I'm getting logon attempts from an account that belonged to our ex-employee that had an administrator status. The person has now left our company and my server's security log is flooded with the Failure audit logon events. The person's account was first disabled and is now deleted.

    There are two error messages I'm seeing on our secondary DC's security event logs:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon 
    Event ID: 680
    Date: 22.3.2012
    Time: 13:55:36
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: useraccount
    Source Workstation:
    Error Code: 0xC000006A

    And the second error message:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff 
    Event ID: 529
    Date: 22.3.2012
    Time: 13:55:36
    User: NT AUTHORITY\SYSTEM
    Computer: SORVI
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: useraccount
    Domain: OURDOMAIN
    Logon Type: 3
    Logon Process: IAS
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name:
    Caller User Name: SERVERNAME$
    Caller Domain: OURDOMAIN
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 832
    Transited Services: -
    Source Network Address: -
    Source Port: -

    Pretty much the only thing I've managed to dig out from these error messages is that the caller process ID refers to svchost.exe.

    The server that's getting the logon attempts is 2003 SP2 and it has roles of 2nd DC and also email server (I know, bad practice but this is due to change). In addition it runs secondary DNS and DHCP services.

    Where should I start looking for the source of the logons? My guess is that this is caused by misconfigured mobile phone still trying to check the email.


    Mikko Koskenkorva

    jeudi 22 mars 2012 12:45

Toutes les réponses