Re: Hacking attempts?

---

• From: "JEC" <thejohncarlson@xxxxxxxxxxxxxxxxxxx>
• Date: Wed, 9 May 2007 17:26:22 -0500

---

Here is an example:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/9/2007
Time: 10:16:22 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: mindy
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 436
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The caller process is what gives it away. It is inetinfo.exe. The only externally exposed IIS is the RWW.


"Steve" <newsgroup@xxxxxxxxxx> wrote in message news:OYoNTQokHHA.5024@xxxxxxxxxxxxxxxxxxxxxxx

How are you determining that these are RWW login attempts? What is the actual security event being logged?

"JEC" <thejohncarlson@xxxxxxxxxxxxxxxxxxx> wrote in message news:9852BEC9-023D-48CE-BE82-5AC1744D3081@xxxxxxxxxxxxxxxx

I am a computer consultant who manages a dozen SBS 2003 networks. About a week ago, I received my daily report and noticed there had been 1700 failed login attempts on this server. Upon examining the security logs, I discovered that there were 9 login attempts a second, trying to login to the RWW with random user names. It did not appear that any were successful.

Yesterday afternoon, it happened to another one of my customers. 1100 login attempts to the RWW in a very short amount of time. All with random user names. Again it appeared none were successful.

Has anyone else seen anything like this happening?

My servers are completely patched, and all users have very strong passwords. Anyone else have any suggestions of steps I should take to prevent this?

Is there a way to limit the number of login attempts to the RWW?

Any help is greatly appreciated.

.

---

• Follow-Ups:
  • Re: Hacking attempts?
    • From: JEC

• References:
  • Re: Hacking attempts?
    • From: Steve

• Prev by Date: Re: PTR how should it be set up
• Next by Date: Re: Hacking attempts?
• Previous by thread: Re: Hacking attempts?
• Next by thread: Re: Hacking attempts?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Unknown Domain user - domain authentication appears limited ... (using cached login). ... Microsoft MVP (Windows Server System: Security) ... > due to the following error: Logon failure: the user has not been granted ... (microsoft.public.windows.server.security) RE: Event ID 529 ... ISA is part of the Premium install. ... is that you already have a good security solution in place. ... Logon Failure: ... Caller User Name: MYSVRNAME$ ... (microsoft.public.windows.server.sbs) Re: Update Post Regarding Logon events after Trend 3.5 Upgrade ... Trend Response: ... Security Server on my server but the file TMVS.exe was available so I was ... After doing an upgrade from CSM 3.0 to CSM 3.5 I've been seeing Logon ... Caller User Name: SBS$ ... (microsoft.public.windows.server.sbs) Re: Login Errors Seem to indicate we are being hacked? ... I've got ISA configured so it only allows SMTP and RWW, and I use RWWGuard for RWW security, so I'm confident that in my case it can't be anything but SMTP. ... Logon Failure: ... Caller User Name: SERVER01$ ... Ie what is a logon type 3 and what do the caller Login ... (microsoft.public.windows.server.sbs) Re: slow iis 6.0 performance ... If yes, the security has ... compatible web farm Session replacement for Asp and Asp.Net ... > Logon Failure: ... > Caller User Name: - ... (microsoft.public.inetserver.iis)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2007-05