Announcement

Collapse
No announcement yet.

event id 529' i think someone is trying to break into my server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • event id 529' i think someone is trying to break into my server

    Hi.
    I get this message every day on the daily report (see attached)
    Usually it's from the same computer name (it's one that I don't have on my network) and sometimes it's different one.
    One day it's occurring 50 times and the other day 5000 times.
    Is someone trying to gain access to my server?
    I have a domain and it's not a workgroup (as you can see on the jpg)

    usually the workstation name is:

    lQPxf2ISQgEV1bGK

    or: HOME-086789DA12
    and so on.

    i got sbs 2003 sp2 with nod 32.
    thanx alot
    asi
    Attached Files
    Last edited by asi; 17th October 2009, 22:45.
    MCP, MCSA 2003, MCSE 2003

  • #2
    Re: event id 529' i think someone is trying to break into my server

    Sounds like a virus to me. Do you have a workstation on your LAN by that name lQPxf2ISQgEV1bGK? As that looks like a randomly generated string which is common with virus's.

    Comment


    • #3
      Re: event id 529' i think someone is trying to break into my server

      No such workstation at all.
      Infect all of the workstations names I get on this error (which r usually the one mention above) are not a part of my network
      MCP, MCSA 2003, MCSE 2003

      Comment


      • #4
        Re: event id 529' i think someone is trying to break into my server

        By the way i ran sysinspector(by eset) ' send the log file to eset support and they said that the computer is clean
        MCP, MCSA 2003, MCSE 2003

        Comment


        • #5
          Re: event id 529' i think someone is trying to break into my server

          Hi,
          It doesn't necessarily mean that your computer is infected. What it means is that an attempt to logon via the network has been made. I would start worrying if there are any 528 events logged, which mean the attempt has been successful.
          It looks like a dictionary attack to me, so I'd start service hardening the machine, changing the admin password to a long and complex one if not already done so, (Or disable it better), disable guest account etc and start tracing back the perpetrator.

          Cheers
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: event id 529' i think someone is trying to break into my server

            Hi
            The admin pass is already a complex one.
            guest acc was already disable and how do i "tracing back the perpetrator.
            "??

            is there any tool for that?

            by the way all of them begin with the same ip : 94.159.xxx.xxx which by the way is the begining of my fixed ip.

            Thanx
            Last edited by asi; 20th October 2009, 07:23.
            MCP, MCSA 2003, MCSE 2003

            Comment


            • #7
              Re: event id 529' i think someone is trying to break into my server

              Well, I can narrow it down for you based on the info you give, It's either in Russia or Israel depending on the third octet of the IP address.
              Try http://www.dnsstuff.com/ for more.
              There are loads of security tools out there, but to be on the safe side of the law, i would suggest you contact your ISP and have handy as much details as possible.
              It may turn out that the source machine is a victim themselves and is acting as a "man in the middle"

              Cheers
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment

              Working...
              X