I recently created a FTP site to enable uploading of pictures for my blog entries by Word 2007 and suddenly I started getting lots of errors on my system. They took the form of:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 09/06/2006
Time: 08:01:31
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: calvin
Domain: XXXXXXXXXX
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: OVERTONHOME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 564
Transited Services: -
Source Network Address: -
The reason why this error log scared me so much was because the security login was coming from my server. This made me think that someone had put something nasty on my box. It turned out with very little digging that this was actually the FTP service trying to authenticate, failing and therefore failing. Calvin is a bad boy and I will be tracking him down through logs!!
As a hint the FTP service was also throwing up errors, so this was not hard to find, just scary as I worry about security alerts before application ones.
The error from FTP was in the application log and was as follows:
Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 09/06/2006
Time: 08:05:20
User: N/A
Computer: SERVER
Description:
The server was unable to logon the Windows NT account 'calvin' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
Data:
0000: 2e 05 00 00 ....
ttfn
David
Posted
Fri, Jun 9 2006 9:54 AM
by
David Overton