Re: Thousands of Failed logon audits

I get something like this happening from a local user machine at various
times through the night.

His machine isn't a member of the domain and he doesn't login to the domain
except through outlook 2003 which I assume is what is causing the notes in
event viewer... Either that or the machine has a virus/worm/trojan that is
trying to pick the servers locks... I'll post the log entries later to see if
they are the same or similar...

"Darran" wrote:

There are no ports forwarded and FTP is not enabled.


"Merv Porter [SBS-MVP]" wrote:

Is FTP running on the SBS server or ports 20, 21 forwarded from the router
to the server ?

--
Merv Porter [SBS-MVP]
============================

"Darran" <Darran@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2FF1A559-31C6-4AA8-8B9B-9F73E5599912@xxxxxxxxxxxxxxxx
Evening, I am running SBS2003 and checking my security log I have
discovered
thousands of failed logon records. They all look as though it is coming
from
something within the server rather than an attack from the outside. The
details are:

Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: SAMANDDARRAN
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: EVO
Caller User Name: EVO$
Caller Domain: SAMANDDARRAN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 648
Transited Services: -
Source Network Address: -
Source Port: -

The username on the whole is either admin or administrator but I did not
at
the bottom it seemed to try every known name beginning with 'A' (aaron,
aron,
abby etc..). This has only occured for the last 3 days or so and not all
today but it is concerning. Whether it is relevant or not but each machine
that logs onto the network pauses for approx 2 mins or so on the 'Applying
personal Settings' stage.. could be relevant, could not.

Any suggestions?

Thank you very much in advance.



.

Relevant Pages

  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
    (microsoft.public.windows.server.sbs)
  • Re: Another security question/issue.
    ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon 529 Errors
    ... Default SMTP Virtual Server properties-Access tab-Relay ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon 529 Errors
    ... connection has been found on the black list, my DNS server ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
    (microsoft.public.windows.server.sbs)