Failed Logon Attempts
- From: "Franky" <frankie_600@xxxxxxxxxxxxxx>
- Date: Mon, 19 Mar 2007 12:17:26 -0000
Hi All
Just seeking a little help on some security issues one of our servers
experienced last night. It appears as though they hit the "admin" account &
not the administrators & then hit the "Guest" account which was disabled
anyway. Only problem is i can not find their IP address through all of this
as there is no ISA installed. Is there any other way i can gain this
information from SBS 2003 or am i doomed until i can get the boss to see
things my way:)
Thanks in advance for any help
here is the log of the incident
Source Event ID Last Occurrence Total Occurrences
Security 680 3/18/2007 4:56 PM 5,385
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: admin
Source Workstation: SERVER
Error Code: 0xC0000064
=====================================================================
Source Event ID Last Occurrence Total Occurrences
Security 680 3/18/2007 4:56 PM 5,385
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: admin
Source Workstation: SERVER
Error Code: 0xC0000064
Source Event ID Last Occurrence Total Occurrences
Security 529 3/18/2007 4:56PM 3,391
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: (DOMAIN)
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5688
Transited Services: -
Source Network Address: -
Source Port: -
================================================================================================
Source Event ID Last Occurrence Total Occurrences
Security 539 3/18/2007 4:33PM 1,993 *
Logon Failure:
Reason: Account locked out
User Name: guest
Domain: DOMAIN
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5688
Transited Services: -
Source Network Address: -
Source Port: -
==============================================================================================
Security 531 3/18/2007 1:35 PM 1
Logon Failure:
Reason: Account currently disabled
User Name: guest
Domain: DOMAIN
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5688
Transited Services: -
Source Network Address: -
Source Port: -
.
- Follow-Ups:
- Re: Failed Logon Attempts
- From: neo [mvp outlook]
- Re: Failed Logon Attempts
- Prev by Date: Re: No Email No Port 25
- Next by Date: Re: How to share user calendar / set calendar rights ( Multiple users at once )
- Previous by thread: Re: No Email No Port 25
- Next by thread: Re: Failed Logon Attempts
- Index(es):
Relevant Pages
|
