Re: Need to find out the IP of someone trying to hack a server
- From: Charlie <baboon@xxxxxxxxxxxxxx>
- Date: Fri, 2 Jun 2006 19:33:01 -0700
If you know that it's IIS, then it most likely is OWA or some other Website
that you have. In that case, just look at the IIS logs (System32\Logfiles).
If all the connections in the IIS logs show the IP address of the ISA server,
then check the ISA logs instead.
"Ken R" wrote:
Thanks for all this help, guys. On your test, Kevin, your logon type is.
different than mine. I'm getting logon type 8, and the process is IIS.
Having trouble finding a list of logon types referenced in event viewer. Of
course, now that I write this, I went back and looked at the paste I did in
this newgroup, and I actually posted logon type 4 and ADVAPI. But, going and
looking at the server event logs, that is atypical. Most are Logon 8 thru
IIS.
Curiouser and curiouser.
As to the ESM, I've yet to be sitting in front of the box when it happens.
Last few days, it's only a half dozen attempts at some random time. 10-20
seconds max total time.
Thanks again!
Ken
"Kevin Longley" wrote:
I just duplicated the 529 error simply by trying to relay email through my
server using a pop3 account.
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: EMAILSERVER
"Phillip Windell" <@.> wrote in message
news:uj8rQ1HSGHA.5036@xxxxxxxxxxxxxxxxxxxxxxx
You think it might be a spammer trying to find credentials to allow a
relay?
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"Kevin Longley" <kwlongley@xxxxxxxxxxxxxx> wrote in message
news:%23WhpoQHSGHA.524@xxxxxxxxxxxxxxxxxxxxxxx
Next time you have an attack check open sessions within the exchangesystem
manager.Web
"Ken R" <KenR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3F93F2E2-DA5A-448E-BDE7-1DDDC1D885B7@xxxxxxxxxxxxxxxx
Thaks for the reply Phillip. This is an SBS box, so of course we've
got
TS/RDP access to the server, plus OWA and Remote Access through Remote
ofWorkplace. I've implemented strong passwords through policies some
time
ago,
and we have non-standard login names for common accounts, so this
person
is
probably banging his head against a rather small wall. Nonetheless, it
would
be nice to figure out exactly how they are trying to come in, and
figure
out
an originating IP if one can be determined. It might very well be
dynamic,
however it also might be on someone's network that can be identified,
at
which point we might just block their whole IP range for a week or two.
This is event ID 529, Category Logon/Logoff, User NT Authority\System
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: XXXXXXX
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: XXXXXXX
Caller User Name: XXXXXXX$
Caller Domain: XXXXXX
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1212
Transited Services: -
Source Network Address: -
Source Port: -
Thanks again all!
"Phillip Windell" wrote:
"Ken R" <Ken R@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:70EFFE4E-FFBF-43ED-8473-ACE6FBFF5A5A@xxxxxxxxxxxxxxxx
We've got an SBS 2003 box that's suddenly reporting a large number
Veryfailed logon attempts. When you check the details, they're trying
common
usernames such as administrator, test, backup, admin, and so on.
IP#fast,
2 or 3 seconds per try, so it's probably a dictionary hack of someI'd
sort.
like to find log files that denote the source IP of the failedAny
attempts.
suggestions?
The IP# would be a waiste of time. They probably don't have a static
acceptand
all they'd have to do is reboot their machine and get a new one.
The real solution is to just make sure they are waisting their time
trying.
"Logon" into what? You can't just "logon",...you have to logon to
*something* what is it that is facing the Internet that could even
passwordsa
logon even if they used real credentials? Since you know all the
credentials is there anything that you can log into from the outside
if
you
wanted to?
The primary defense against dictionary attacks is to use strong
2004so
that it would take longer than the person would be alive to "crack"
the
password.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Deployment Guidelines for ISA Server 2004 Enterprise Edition
-----------------------------------------------------
- Follow-Ups:
- Prev by Date: Re: ISA 2004 question
- Next by Date: Re: How can I allow all .gov - .edu domains ?
- Previous by thread: Re: ISA Server Control service terminated with service-specific error
- Next by thread: Re: Need to find out the IP of someone trying to hack a server
- Index(es):
Relevant Pages
|
