How do you track down Server 2003 failure audits???

Networking/Security Forums -> Computer Forensics and Incident Response

Author: decoy5657 PostPosted: Tue Jan 27, 2009 6:29 pm    Post subject: How do you track down Server 2003 failure audits???
    ----
We are getting a lot of these type errors for different usernames that actually exist on our domain. Not the usual admin/guest/user/administrator brute force stuff.

How can I decipher what's going on here? without any source/target info it is difficult to understand.

Code:
Source    Event ID    Last Occurrence    Total Occurrences   
  Security    529    1/26/2009 5:20 PM    7 *   
Logon Failure:   
    Reason:   Unknown user name or bad password   
    User Name:   realusername   
    Domain:       
    Logon Type:   3   
    Logon Process:   Advapi   
    Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0   
    Workstation Name:   PRIMARY   
    Caller User Name:   PRIMARY$   
    Caller Domain:   realdomain   
    Caller Logon ID:   (0x0,0x3E7)   
    Caller Process ID:   5236   
    Transited Services:   -   
    Source Network Address:   -   
    Source Port:   -   



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group