We were tipped off by the Alienvault alerts on Spiceworks of suspicious IP interaction. As we dug deeper we started noticing a ton of Failure Audits in the Security section of Event Viewer. These were happening from every 2-3 seconds to multiple times per second. The server that these showed up on is Server 2003 and acts as our Domain Controller and Exchange Server
The details for the event are as follows:
- Event ID: 529
- Reason: Unknown user name or bad password
- Logon Type: 3
- Logon Process: Advapi
- Caller Logon ID: (0x0,0x3E7)
- Caller Process ID: 1572
We also looked through the SMTP logs but only found a few instances of the suspicious IP that was reported by Alienvault.
We looked at our RDP server and are not seeing the logon process constantly starting up and we use a non standard port for RDP.
Any tips to help figure out what is triggering all...