Re: Hacking attempts?
- From: "kj" <kj@xxxxxxxxxxx>
- Date: Wed, 9 May 2007 16:05:09 -0700
JEC wrote:
FWIW - the only ports that open on both of these boxes are 25, 443,
4125, and 3389.
OWA also runs on 443 as does HTTP/RPC, but I believe the logon Type:3 as you
are seeing *is* RWW.
You can use the IIS logs to track down the ip address(es) that are
attempting unauthorized login. IIS logs are timestamped UTC though as I
remember. You'll need to adjust to correlate to your event logs.
"JEC" <thejohncarlson@xxxxxxxxxxxxxxxxxxx> wrote in message
news:612C1FD7-5FB3-48C6-B8D0-B7B9321C6AF1@xxxxxxxxxxxxxxxx
Here is an example:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/9/2007
Time: 10:16:22 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: mindy
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 436
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
The caller process is what gives it away. It is inetinfo.exe. The
only externally exposed IIS is the RWW.
"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:OYoNTQokHHA.5024@xxxxxxxxxxxxxxxxxxxxxxx
How are you determining that these are RWW login attempts? What is
the actual security event being logged?
"JEC" <thejohncarlson@xxxxxxxxxxxxxxxxxxx> wrote in message
news:9852BEC9-023D-48CE-BE82-5AC1744D3081@xxxxxxxxxxxxxxxx
I am a computer consultant who manages a dozen SBS 2003 networks.
About a week ago, I received my daily report and noticed there had
been 1700 failed login attempts on this server. Upon examining the
security logs, I discovered that there were 9 login attempts a
second, trying to login to the RWW with random user names. It did
not appear that any were successful.
Yesterday afternoon, it happened to another one of my customers.
1100 login attempts to the RWW in a very short amount of time. All
with random user names. Again it appeared none were successful.
Has anyone else seen anything like this happening?
My servers are completely patched, and all users have very strong
passwords. Anyone else have any suggestions of steps I should take
to prevent this?
Is there a way to limit the number of login attempts to the RWW?
Any help is greatly appreciated.
--
/kj
.
- Follow-Ups:
- Re: Hacking attempts?
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Hacking attempts?
- References:
- Re: Hacking attempts?
- From: Steve
- Re: Hacking attempts?
- From: JEC
- Re: Hacking attempts?
- From: JEC
- Re: Hacking attempts?
- Prev by Date: Re: 123
- Next by Date: Re: Replacing server
- Previous by thread: Re: Hacking attempts?
- Next by thread: Re: Hacking attempts?
- Index(es):
Relevant Pages
|
Loading
