Re: Failed Logon Attempts
- From: "neo [mvp outlook]" <neo@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 19 Mar 2007 06:47:57 -0700
You would have to review your IIS logs to get this info.
"Franky" <frankie_600@xxxxxxxxxxxxxx> wrote in message
news:Hf-dnZ1WM6nC4mPYRVnytgA@xxxxxxxxx
Hi All
Just seeking a little help on some security issues one of our servers
experienced last night. It appears as though they hit the "admin" account
& not the administrators & then hit the "Guest" account which was disabled
anyway. Only problem is i can not find their IP address through all of
this as there is no ISA installed. Is there any other way i can gain this
information from SBS 2003 or am i doomed until i can get the boss to see
things my way:)
Thanks in advance for any help
here is the log of the incident
Source Event ID Last Occurrence Total Occurrences
Security 680 3/18/2007 4:56 PM 5,385
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: admin
Source Workstation: SERVER
Error Code: 0xC0000064
=====================================================================
Source Event ID Last Occurrence Total Occurrences
Security 680 3/18/2007 4:56 PM 5,385
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: admin
Source Workstation: SERVER
Error Code: 0xC0000064
Source Event ID Last Occurrence Total Occurrences
Security 529 3/18/2007 4:56PM 3,391
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: (DOMAIN)
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5688
Transited Services: -
Source Network Address: -
Source Port: -
================================================================================================
Source Event ID Last Occurrence Total Occurrences
Security 539 3/18/2007 4:33PM 1,993 *
Logon Failure:
Reason: Account locked out
User Name: guest
Domain: DOMAIN
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5688
Transited Services: -
Source Network Address: -
Source Port: -
==============================================================================================
Security 531 3/18/2007 1:35 PM 1
Logon Failure:
Reason: Account currently disabled
User Name: guest
Domain: DOMAIN
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5688
Transited Services: -
Source Network Address: -
Source Port: -
.
- References:
- Failed Logon Attempts
- From: Franky
- Failed Logon Attempts
- Prev by Date: Re: WSUS - No Client connecting
- Next by Date: Re: Does user have to be a member of domain admins? Surely not!
- Previous by thread: Failed Logon Attempts
- Index(es):
Relevant Pages
|
