I am trying to track down the source of around 500 login failures everyday I am seeing in our security event log (see 2 event logs below). I am trying to determine if these are originating from inside our network
or outside ?. What annoys me is that there is never a source IP address in these events which i can use to trace it. MERCURY is the Server which is being targeted ..its win 2003 R2 SP2 belongs to a WORKGROUP not part of Domain
Any advice how to track this down, or an explanation of what I am seeing here would be greatly appreciated.
Thanks!
Event ID 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: WCUser
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MERCURY
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3724
Transited Services: -
Source Network Address: -
Source Port: -
Event 680
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: WCUser
Source Workstation: MERCURY
Error Code: 0xC0000064