Re: Help - port attacks
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 04/09/04
- Next message: antispam: "Re: Remote Desktop Disconnected Error, have to try multiple times when RWW server"
- Previous message: Falcon: "Is this possible?"
- In reply to: Mike DeLong: "Re: Help - port attacks"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Help - port attacks"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Help - port attacks"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 09 Apr 2004 00:01:06 -0700
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 4/9/2004
Time: 11:59:11 PM
User: NT AUTHORITY\SYSTEM
Computer: KIKIBITZFINAL
Description:
Successful Network Logon:
User Name: KIKIBITZFINAL$
Domain: KIKIBITZRTM
Logon ID: (0x0,0xA4D53D)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {xxxxxx}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.2
Source Port: 4568
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
See totally normal
Mike DeLong wrote:
> New info:
>
> I disconnected all clients and the router from the server
> computer - and the messages continued!
>
> They are some sort of service message from something
> happening several times a minute - but I don't know what!
>
>
>
>>-----Original Message-----
>>On that Outside nic is there a reason why you are
>
> 255.0.0.0? You can be
>
>>255.255.255.0
>>
>>copy and paste some sample errors.
>>
>>Mike DeLong wrote:
>>
>>>Router = 10.0.0.1 255.255.255.0
>>> |
>>>Outside NIC = 10.0.0.2 255.0.0.0
>>> |
>>>Small Business Server Computer
>>> |
>>>Inside NIC = 192.168.16.2 255.255.255.0
>>>
>>>
>>>DNS Server 192.168.16.2
>>>
>>>I have filtered out all TCP except 25 and 80
>>>All UDP ports are open (when I close all, I can't get
>
> to
>
>>>internet)
>>>All IP protocols are open.
>>>Attacks are still happening - trying port after port.
>>>Also, errors appearing in event viewer about active
>>>directory, after I blocked all TCP ports except 25 and
>
> 80.
>
>>>
>>>
>>>>-----Original Message-----
>>>>What's the subnet of the outside NIC card?
>>>>
>>>>255.255.255.0?
>>>>
>>>>And put up the diagram of what setup you have. INside
>>>
>>>NIC ip address
>>>
>>>
>>>>and outside NIC ip address and what no.
>>>>
>>>>Kerberos is normally a time sync issue but if an
>
> account
>
>>>was shut
>>>
>>>
>>>>off.... and what is that 10.0.0.2 nic connected to?
>>>>
>>>>Susan
>>>>
>>>>Mike DeLong wrote:
>>>>
>>>>
>>>>>My event viewer (security) is showing hundreds of
>>>
>>>events
>>>
>>>
>>>>>per minute, coming from 10.0.0.2 (wan side of server),
>>>>>trying source ports in order. One of my users's
>>>
>>>accounts
>>>
>>>
>>>>>was shut down because of too many logon attempts in a
>>>>>row. What is happening? I have the firewall on. I
>>>
>>>have
>>>
>>>
>>>>>2 network cards and nat running. Yet I continue to
>
> get
>
>>>>>Event ID 540 (logon) process:kerberos, Event ID 538
>>>>>(logoff) process:kerberos, and Event ID 576. What
>>>
>>>should
>>>
>>>
>>>>>I do??
>>>>
>>>>--
>>>>http://www.sbslinks.com/really.htm
>>>>
>>>>.
>>>>
>>
>>--
>>http://www.sbslinks.com/really.htm
>>
>>.
>>
-- http://www.sbslinks.com/really.htm
- Next message: antispam: "Re: Remote Desktop Disconnected Error, have to try multiple times when RWW server"
- Previous message: Falcon: "Is this possible?"
- In reply to: Mike DeLong: "Re: Help - port attacks"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Help - port attacks"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Help - port attacks"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
