|
Posted by Arek Iskra [MVP] on December 2, 2005, 10:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>I am running Server 2003 Standard edition as a public webserver.
> Recently the server has been experiencing numerous login attempts
> resulting in the following audit log:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 537
> Date: 12/2/2005
> Time: 7:54:35 AM
> User: NT AUTHORITY\SYSTEM
> Computer: LONGS
> Description:
> Logon Failure:
> Reason: An error occurred during logon
> User Name: IUSR_WINSERVER2003
> Domain: *****
> Logon Type: 3
> Logon Process: ?Q
> Authentication Package: NTLM
> Workstation Name: *****
> Status code: 0xC000006D
> Substatus code: 0x0
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: **.***.***.***
> Source Port: 0
>
> The question I have is, how is this logon event occurring? The source
> network address has the ip of the server itself, which would seem to
> mean that whoever (or whatever) is trying to login is doing so from the
> actual machine?
>
> What does the ?Q mean as a logon proccess?
>
> Any answers or links would be much appreciated.
>
> Thanks much,
> Dan Hopkins
>
Is this server running IIS? The logon account is the IUSR_<server name>.
Someone (or something - an application or process for example) seems to be
failing to authenticate.
--
Arek Iskra
MVP for Windows Server - Software Distribution
| 
XML site map