Question : event id 539 account lockout?

I run Windows Server 2003 SBS. Since last Tuesday I have been receiving administrative alert emails at 2 hour intervals, almost on the dot. Very concerning since I can't see anything in the Event Viewer at these times. I see in the Server Manager where to enable/disable this alert. I want it enabled, but I also want to know who is getting locked out (who is trying to log in???) Also since it happens exactly 2 hours apart, that makes me think it is automated...what kind of process or application would try to do this? Please help me figure this out :)

Here is the pattern of the times I receive the email. Note that there is no activity on the weekend, but when it is active, it is in exactly 2 hour intervals:

4/19      08:28:47 PM
4/19      10:28:47 PM
4/20      12:28:49 AM
4/20      02:28:49 AM
4/20      04:28:49 AM
4/20      06:28:49 AM
4/21      01:08:53 PM
4/21      03:08:53 PM
4/21      05:08:08 PM
4/22      01:08:13 PM
4/22      03:08:13 PM
4/22      05:08:13 PM
4/25      04:48:28 PM
4/25      06:48:28 PM
4/25      08:48:28 PM
4/25      10:48:28 PM
4/26      12:48:29 PM
4/26      02:48:29 AM
4/26      04:48:29 AM
4/26      06:48:29 AM
4/26      08:48:29 AM
4/26      10:48:29 AM
4/26      12:48:29 AM
4/26      02:48:29 PM
4/26 04:48:29 PM
4/26      06:48:29 PM
4/26 08:48:29 PM
4/26 10:48:29 PM
4/27 12:48:34 AM
4/27 02:48:34 AM
4/27 04:48:34 AM
4/27 06:48:34 AM
4/27 08:48:34 AM

Here is the text of the email:

-----Original Message-----
From: Envirotech [mailto:Administrator@domain.tld]
Sent: Friday, April 22, 2005 1:08 PM
To: me (the administrator)
Subject: Account Lockout (Event ID: 539) Alert on SERVER1

Alert on SERVER1 at 4/22/2005 1:08:13 PM

An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.

For more information about this event, see the event logs on the server computer.

You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.

Answer : event id 539 account lockout?

It seems this computer has some spyware or a virus on it. This is the telltale sign of malicious activity - hitting shares using default passwords trying to spread.

Download and run the following stuff:

Adaware Personal - www.lavasoftusa.com
Spybot S&D - http://www.safer-networking.org/en/download/
CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.html

Also, do a full AV scan with the latest updates.

Let us know what you find.

NM

Random Solutions

Allocating memory to increase performance in PhotoShop and Illustrator

Connect & Manage remote SQL 2000 DB from Vista Ultimate (64 Bit)

Multiple connections to a server or shared resource by the same user using more than one user name are not allowed.

ASP.Net AJAX Client Framework failed to load.

MS ACCESS SPLIT DATABASE SLOW

I reimaged an older Maxtor 20 GB drive, and I am not able to connect it to my internet connection

Alternative rich text editor

Windows XP cannot find any Audio devices.

Why does Adobe Acrobat make a WRECK of table borders?