On Wed, 21 Oct 2009 08:36:20 -0700 (PDT), linux
<> wrote:
>Hi Team,
>
>On couple of machines running on 2003 server. We find security log
>file getting quickly filled.
>In our enviroment we have to preserve 90 days of log, but it gets
>filled up by 3 - 4 days and it have been diffcult to backup it very
>frequently.
>
>We notice security log file is getting filled with 10 -15 failed Audit
>every second.
>Event Description
>Source: Security
>Category: Account Logon
>Type: Failure Aud
>Event ID: 680
>User NT AUTHORITY\SYSTEM
>Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>Logon account: Administrator
>Error Code: 0xC000006A
>
>Another Type
>
>Event Description
>Source: Security
>Category: Logon/Logoff
>Type: Failure Aud
>Event ID: 529
>User: NT AUTHORITY\SYSTEM
>Logon Failure:
>Reason: Unknown user name or bad password
>User Name: Administrator
>logon Type: 3
>Logon Process: NtLmSsp
>Authentication Package: NTLM
>
>By these event we got to know the Workstation Name causing this
>problem.
>
> There was continues attempt made to access 445 and 139 port. Process
>ID was 0
>
>Need help to identify and fix this threat.
>
Maybe check the services to see if any are using "administrator"
rather than "system".... If the "administrator" password was changed
for the user but not the service, this can happen.
or look here:
http://www.eventid.net/display.asp?e...curity&phase=1
for other suggestions on what can cause the 680.
Mike
Similar Threads
Linear Mode
