FAQWindows-Expert.com Forum Index  •   FAQFAQ  •  SearchSearch
Windows-Expert.com
Find Windows Problems and Solutions
 
The security log is getting quickly filled
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Windows-Expert.com Forum Index -> Server Security
View previous topic :: View next topic  
Author Message
linux
Guest
PostPosted: Wed Oct 21, 2009 3:36 pm    Post subject: The security log is getting quickly filled Reply with quote
Hi Team,

On couple of machines running on 2003 server. We find security log
file getting quickly filled.
In our enviroment we have to preserve 90 days of log, but it gets
filled up by 3 - 4 days and it have been diffcult to backup it very
frequently.

We notice security log file is getting filled with 10 -15 failed Audit
every second.
Event Description
Source: Security
Category: Account Logon
Type: Failure Aud
Event ID: 680
User NT AUTHORITY\SYSTEM
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Administrator
Error Code: 0xC000006A

Another Type

Event Description
Source: Security
Category: Logon/Logoff
Type: Failure Aud
Event ID: 529
User: NT AUTHORITY\SYSTEM
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM

By these event we got to know the Workstation Name causing this
problem.

There was continues attempt made to access 445 and 139 port. Process
ID was 0

Need help to identify and fix this threat.
Back to top
Guest
Guest



Posts
Location
PostPosted: Wed Oct 21, 2009 3:36 pm    Post subject: Google Ads Reply with quote
Back to top
Special Access
Guest
PostPosted: Wed Oct 21, 2009 11:18 pm    Post subject: Re: The security log is getting quickly filled Reply with quote
On Wed, 21 Oct 2009 08:36:20 -0700 (PDT), linux
<sachidananda.b@gmail.com> wrote:

Quote:
Hi Team,

On couple of machines running on 2003 server. We find security log
file getting quickly filled.
In our enviroment we have to preserve 90 days of log, but it gets
filled up by 3 - 4 days and it have been diffcult to backup it very
frequently.

We notice security log file is getting filled with 10 -15 failed Audit
every second.
Event Description
Source: Security
Category: Account Logon
Type: Failure Aud
Event ID: 680
User NT AUTHORITY\SYSTEM
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Administrator
Error Code: 0xC000006A

Another Type

Event Description
Source: Security
Category: Logon/Logoff
Type: Failure Aud
Event ID: 529
User: NT AUTHORITY\SYSTEM
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM

By these event we got to know the Workstation Name causing this
problem.

There was continues attempt made to access 445 and 139 port. Process
ID was 0

Need help to identify and fix this threat.



Maybe check the services to see if any are using "administrator"
rather than "system".... If the "administrator" password was changed
for the user but not the service, this can happen.

or look here:
http://www.eventid.net/display.asp?eventid=680&eventno=2267&source=Security&phase=1
for other suggestions on what can cause the 680.

Mike
Back to top
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Windows-Expert.com Forum Index -> Server Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Topic Links: syslog
Powered by phpBB © 2001, 2005 phpBB Group