Break-in attempted -- how to respond?
From: David Schrag (david-no-spam_at_schrag.net)
Date: 05/13/04
- Next message: Clay Adams [MSFT]: "RE: SBS 2003 Exchange POP3 Connector"
- Previous message: Javier Gomez [SBS MVP]: "Re: Additional SMTP Server"
- Next in thread: Tony Su: "Break-in attempted -- how to respond?"
- Reply: Tony Su: "Break-in attempted -- how to respond?"
- Reply: Les Connor [SBS MVP]: "Re: Break-in attempted -- how to respond?"
- Reply: David Schrag: "Re: Break-in attempted -- how to respond?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 13 May 2004 08:21:20 -0400
For a period of about 15 minutes yesterday, someone was trying hard to break
into one of my servers. There were 156 Failure Audits logged in the Security
log. The hacker tried to log in with the following user names: webmaster,
admin, root, test, master, web, www, administrator, and backup. Here is a
sample of a logged event:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/12/2004
Time: 12:14:56 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVERNAME]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: backup
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: [SERVERNAME]
Caller User Name: [SERVERNAME]$
Caller Domain: [DOMAINNAME]
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 780
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I am running SBS Premium but without ISA. I have a hardware firewall and I'm
also using the basic SBS firewall with 2 NICs in the server. Are there any
logs I can check to determine the source of the attack? I don't think they
were trying to come in through a RAS/VPN connection. The latest RAS "IN" log
is from last month. Is there a log made of connections via Terminal Services
that would show the source IP? Is there any way to tell for sure how they
were making a connection to the server?
- Next message: Clay Adams [MSFT]: "RE: SBS 2003 Exchange POP3 Connector"
- Previous message: Javier Gomez [SBS MVP]: "Re: Additional SMTP Server"
- Next in thread: Tony Su: "Break-in attempted -- how to respond?"
- Reply: Tony Su: "Break-in attempted -- how to respond?"
- Reply: Les Connor [SBS MVP]: "Re: Break-in attempted -- how to respond?"
- Reply: David Schrag: "Re: Break-in attempted -- how to respond?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
