Event 680 excessively logged on 2003 DC

[T3st1ng]

Hello,

The Security Log on one of my 2003 DC's is filling up with a ton of 680 events, coming from the same source workstation, but with all different variables at the end of the machine name. For example, if the machine name
is server1, the sources vary such as server1x, server1R, server10, server1G, etc.. The user name indicated in the event is consistent and belongs to someone in our domain.

The actual event being logged is as follows:

Source: Security
Category: Account Logon
Type: Failure Audit
Event ID: 680
User: NT Authority\System
Computer: "DOMAINCONTROLLER"
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: "user1"
Source Workstation: "server1X" (** this field varries, as indicated in my
problem description above)
Error Code: 0xC000006A


Does anyone have any idea why this may be occuring, if its malicious, etc.?

 

[benzgc]

Here is a site for Event Id's and some info on that Event.
Hope this helps.

i

http://www.eventid.net/display.asp?eventid=680&eventno=2267&source=Security&phase=1s

a site and some info on that event ID:

BENZ
"Non erravi perniciose!

 

[benzgc]

Let's try that again:

http://www.eventid.net/display.asp?eventid=680&eventno=2267&source=Security&phase=1

BENZ
"Non erravi perniciose!

 

[T3st1ng]

I already checked that site. I can't find anything that would explain why the source workstation name would change that like.

 

[WANguy2k]

Not sure why the machine name is changing, but 0xC000006A indicates a bad user ID/password combination. Are you sure you don't have a user ID and password programmed into an application on the computer that's trying to make a connection? Also, do you have a persistent drive mapped with alternate credentials? Is the Windows Welcome Screen turned on? (See

http://support.microsoft.com/kb/q305822/)

What about the User ID? Does it change in the even IDs if you logon with a different ID or does it stay the same?