Unknown User Logon attempt



Samhain_Knight
07-09-2005, 10:53 PM
I'm trying to track down a user logon attempt on one of my servers.
W2k AD enviroment
Whenever I reboot one of my member server i get an event 681/529. What
scares me is that the username attempting to logon is called "secret". I know
for sure it's not a domain user account nor a local user account on the
server. I'm trying to find more info on this user. I only receive this event
when I reboot the server as if it's a service starting up. I don't see any
unknown services running on the server though? Any suggestions how to best
troubleshoot this? Here's a copy of the event:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 6/11/2005
Time: 9:10:31 AM
User: NT AUTHORITY\SYSTEM
Computer: EVANS10
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Secret
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: "member server"

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 6/11/2005
Time: 9:10:31 AM
User: NT AUTHORITY\SYSTEM
Computer: member server
Description:
The logon to account: Secret
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: member server
failed. The error code was: 3221225572

Thanks

Srikrishna Komatineni
07-09-2005, 10:53 PM
http://support.microsoft.com/?kbid=837142
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985&sd=tech

Hope these helps in someway...


-------------------------------------------------
Srikrishna Komatineni

"Samhain_Knight" <Samhain_Knight@discussions.microsoft.com> wrote in message
news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
> I'm trying to track down a user logon attempt on one of my servers.
> W2k AD enviroment
> Whenever I reboot one of my member server i get an event 681/529. What
> scares me is that the username attempting to logon is called "secret". I
> know
> for sure it's not a domain user account nor a local user account on the
> server. I'm trying to find more info on this user. I only receive this
> event
> when I reboot the server as if it's a service starting up. I don't see any
> unknown services running on the server though? Any suggestions how to best
> troubleshoot this? Here's a copy of the event:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 6/11/2005
> Time: 9:10:31 AM
> User: NT AUTHORITY\SYSTEM
> Computer: EVANS10
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Secret
> Domain:
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: "member server"
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 6/11/2005
> Time: 9:10:31 AM
> User: NT AUTHORITY\SYSTEM
> Computer: member server
> Description:
> The logon to account: Secret
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: member server
> failed. The error code was: 3221225572
>
> Thanks
>

Steven L Umbach
07-09-2005, 10:53 PM
Try booting into safe mode to see the those events are recorded or not. More
than likely something is using that user account. You could also try
rebooting with the computer disconnected from the network to see if those
events are recorded and if they are you know for sure it is internally
generated. I would also be sure to run a full system scan for malware. There
is a tool that is used to troubleshoot account lockouts that may help as it
creates a log that shows when a user is trying to authenticated and the
associated process with times recorded to match to the security log. Also
check to see if any mapped drives have persistent credentials associated
with them. The link below is to the alockout.dll tool [be sure to read
warning] and other documentation and tools that normally are used to track
domain account lockouts but still have helpful information. I would also
temporarily enable auditing of object access, privilige use, and process
tracking for failure on that server to see if that helps pinpoint what is
going on. --- Steve




"Samhain_Knight" <Samhain_Knight@discussions.microsoft.com> wrote in message
news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
> I'm trying to track down a user logon attempt on one of my servers.
> W2k AD enviroment
> Whenever I reboot one of my member server i get an event 681/529. What
> scares me is that the username attempting to logon is called "secret". I
> know
> for sure it's not a domain user account nor a local user account on the
> server. I'm trying to find more info on this user. I only receive this
> event
> when I reboot the server as if it's a service starting up. I don't see any
> unknown services running on the server though? Any suggestions how to best
> troubleshoot this? Here's a copy of the event:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 6/11/2005
> Time: 9:10:31 AM
> User: NT AUTHORITY\SYSTEM
> Computer: EVANS10
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Secret
> Domain:
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: "member server"
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 6/11/2005
> Time: 9:10:31 AM
> User: NT AUTHORITY\SYSTEM
> Computer: member server
> Description:
> The logon to account: Secret
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: member server
> failed. The error code was: 3221225572
>
> Thanks
>

Samhain_Knight
07-09-2005, 10:56 PM
I cleared the event log, shutdown, unplugged the network cable, power on, and
logged in using domain credentials. The same event is shown for user
"Secret". I then rebooted and logged into safe mode, keeping the network
cable unplugged and i didn't receive the event? Since the cable is unplugged,
this must be a local process generated on the server? There are now mapped
drives on this server either? Anymore input would be appreciated!

Thanks!!!

"Steven L Umbach" wrote:

> Try booting into safe mode to see the those events are recorded or not. More
> than likely something is using that user account. You could also try
> rebooting with the computer disconnected from the network to see if those
> events are recorded and if they are you know for sure it is internally
> generated. I would also be sure to run a full system scan for malware. There
> is a tool that is used to troubleshoot account lockouts that may help as it
> creates a log that shows when a user is trying to authenticated and the
> associated process with times recorded to match to the security log. Also
> check to see if any mapped drives have persistent credentials associated
> with them. The link below is to the alockout.dll tool [be sure to read
> warning] and other documentation and tools that normally are used to track
> domain account lockouts but still have helpful information. I would also
> temporarily enable auditing of object access, privilige use, and process
> tracking for failure on that server to see if that helps pinpoint what is
> going on. --- Steve
>
>
>
>
> "Samhain_Knight" <Samhain_Knight@discussions.microsoft.com> wrote in message
> news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
> > I'm trying to track down a user logon attempt on one of my servers.
> > W2k AD enviroment
> > Whenever I reboot one of my member server i get an event 681/529. What
> > scares me is that the username attempting to logon is called "secret". I
> > know
> > for sure it's not a domain user account nor a local user account on the
> > server. I'm trying to find more info on this user. I only receive this
> > event
> > when I reboot the server as if it's a service starting up. I don't see any
> > unknown services running on the server though? Any suggestions how to best
> > troubleshoot this? Here's a copy of the event:
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 6/11/2005
> > Time: 9:10:31 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: EVANS10
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Secret
> > Domain:
> > Logon Type: 2
> > Logon Process: Advapi
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Workstation Name: "member server"
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Account Logon
> > Event ID: 681
> > Date: 6/11/2005
> > Time: 9:10:31 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: member server
> > Description:
> > The logon to account: Secret
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: member server
> > failed. The error code was: 3221225572
> >
> > Thanks
> >
>
>
>

Steven L Umbach
07-10-2005, 10:34 AM
There is a free tool from SysInternals called Autoruns that may help you as
it certainly looks like it is a local startup process. It shows the various
start up programs that are on your computer and also gives you that ability
to disable them individually which you may need to do in a trial and error
method to try and track down what is causing your problem. It also could be
a non essential service that is not used to boot into safe mode . Use
services.msc to check your services and look in the "logon as column" to see
if you can see anything there that may help. You can also selectively
disable services with msconfig. If you are using Windows 2000 you will not
have msconfig but you can download it from the internet. --- Steve

http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.perfectdrivers.com/howto/msconfig.html --- Msconfig

"Samhain_Knight" <samhain.knight@gmail.com> wrote in message
news:F64A7BF1-543A-4F21-932D-94BD7FD84E0E@microsoft.com...
>I cleared the event log, shutdown, unplugged the network cable, power on,
>and
> logged in using domain credentials. The same event is shown for user
> "Secret". I then rebooted and logged into safe mode, keeping the network
> cable unplugged and i didn't receive the event? Since the cable is
> unplugged,
> this must be a local process generated on the server? There are now mapped
> drives on this server either? Anymore input would be appreciated!
>
> Thanks!!!
>
> "Steven L Umbach" wrote:
>
>> Try booting into safe mode to see the those events are recorded or not.
>> More
>> than likely something is using that user account. You could also try
>> rebooting with the computer disconnected from the network to see if those
>> events are recorded and if they are you know for sure it is internally
>> generated. I would also be sure to run a full system scan for malware.
>> There
>> is a tool that is used to troubleshoot account lockouts that may help as
>> it
>> creates a log that shows when a user is trying to authenticated and the
>> associated process with times recorded to match to the security log. Also
>> check to see if any mapped drives have persistent credentials associated
>> with them. The link below is to the alockout.dll tool [be sure to read
>> warning] and other documentation and tools that normally are used to
>> track
>> domain account lockouts but still have helpful information. I would also
>> temporarily enable auditing of object access, privilige use, and process
>> tracking for failure on that server to see if that helps pinpoint what is
>> going on. --- Steve
>>
>>
>>
>>
>> "Samhain_Knight" <Samhain_Knight@discussions.microsoft.com> wrote in
>> message
>> news:F8BC53E0-A105-4EDA-9BEB-90A614273641@microsoft.com...
>> > I'm trying to track down a user logon attempt on one of my servers.
>> > W2k AD enviroment
>> > Whenever I reboot one of my member server i get an event 681/529. What
>> > scares me is that the username attempting to logon is called "secret".
>> > I
>> > know
>> > for sure it's not a domain user account nor a local user account on the
>> > server. I'm trying to find more info on this user. I only receive this
>> > event
>> > when I reboot the server as if it's a service starting up. I don't see
>> > any
>> > unknown services running on the server though? Any suggestions how to
>> > best
>> > troubleshoot this? Here's a copy of the event:
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 6/11/2005
>> > Time: 9:10:31 AM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: EVANS10
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Secret
>> > Domain:
>> > Logon Type: 2
>> > Logon Process: Advapi
>> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> > Workstation Name: "member server"
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Account Logon
>> > Event ID: 681
>> > Date: 6/11/2005
>> > Time: 9:10:31 AM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: member server
>> > Description:
>> > The logon to account: Secret
>> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> > from workstation: member server
>> > failed. The error code was: 3221225572
>> >
>> > Thanks
>> >
>>
>>
>>


Unknown User Logon attempt