Hello All,
I am a bit concerned here. I getting nailed with failed logins by the thousands. They happen so fast that there are several failures within the same second. They either have the event ID 529 or 680. They don't include the IP address of the source which is what really bugs me. I don't know how to figure out the root of this problem. I will paste an example below:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 6/11/2013
Time: 8:47:46 AM
User: NT AUTHORITY\SYSTEM
Computer: CENSORED
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: SUPPORT_388945a0
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: CENSORED
Caller User Name: VALID DOMAIN USER
Caller Domain: DDS
Caller Logon ID: (0x1,0x4378D60E)
Caller Process ID: 19988
Transited Services: -
Source Network Address: -
Source Port: -
Please note that I censored the computer name and the user. The user is a valid domain user however.
Any ideas where I should start? Thank you.