Re: Break-in attempted -- how to respond?

From: David Schrag (david-no-spam_at_schrag.net)
Date: 05/13/04 

Date: Thu, 13 May 2004 16:45:21 -0400

Thanks to those who have responded so far. So we think it's a safe bet that
this attack came in via TS? I guess I will have to lock down port 3389 on
the hardware FW so it only allows traffic in from my own IP address.

"David Schrag" <david-no-spam@schrag.net> wrote in message
news:uyB3OTOOEHA.204@TK2MSFTNGP10.phx.gbl...
> For a period of about 15 minutes yesterday, someone was trying hard to
break
> into one of my servers. There were 156 Failure Audits logged in the
Security
> log. The hacker tried to log in with the following user names: webmaster,
> admin, root, test, master, web, www, administrator, and backup. Here is a
> sample of a logged event:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 5/12/2004
> Time: 12:14:56 PM
> User: NT AUTHORITY\SYSTEM
> Computer: [SERVERNAME]
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: backup
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: [SERVERNAME]
> Caller User Name: [SERVERNAME]$
> Caller Domain: [DOMAINNAME]
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 780
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> I am running SBS Premium but without ISA. I have a hardware firewall and
I'm
> also using the basic SBS firewall with 2 NICs in the server. Are there any
> logs I can check to determine the source of the attack? I don't think they
> were trying to come in through a RAS/VPN connection. The latest RAS "IN"
log
> is from last month. Is there a log made of connections via Terminal
Services
> that would show the source IP? Is there any way to tell for sure how they
> were making a connection to the server?
>
>

Relevant Pages

  • Re: Security error, EventID 529
    ... It seems where this is hapenning is actually on my server, ... logon such as while Outlook is connecting to Exchange Server, ... The attack can be initiated from internal network or external ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon failures filling the event log
    ... someone/some bot/some viri/etc is trying to attack your webserver. ... see the server performance report telling my 7676 critical errors!). ... Logon Type: 3 ... Exchange web interface and CompanyWeb all require SSL and 128 bits. ...
    (microsoft.public.windows.server.sbs)
  • Hacking attempt?
    ... Logon Failure: ... Workstation Name: (Name of my Server) ... Can anyone tell if the attack is coming from ... server is either through the local network or via a VPN connection. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.networking)