Re: Hacking attempts?
- From: "JEC" <thejohncarlson@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 9 May 2007 20:45:16 -0500
Unfortunately it appears as if SMTP logging was not turned on.
I tried viewing the IIS logs for the given time period but did not see anything. I may not be looking in the right place though. It is a little confusing.
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx> wrote in message news:%23tS1XfpkHHA.4876@xxxxxxxxxxxxxxxxxxxxxxx
Logon Type 3 – Network
Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)
That's just over the network.... and port 25 is open.... as is 3389 two more often attacked ports than 443.
I'll bet it's SMTP auth attacks not RWW. check the SMTP logs.
kj wrote:JEC wrote:
FWIW - the only ports that open on both of these boxes are 25, 443,
4125, and 3389.
OWA also runs on 443 as does HTTP/RPC, but I believe the logon Type:3 as you are seeing *is* RWW.
You can use the IIS logs to track down the ip address(es) that are attempting unauthorized login. IIS logs are timestamped UTC though as I remember. You'll need to adjust to correlate to your event logs.
"JEC" <thejohncarlson@xxxxxxxxxxxxxxxxxxx> wrote in message
news:612C1FD7-5FB3-48C6-B8D0-B7B9321C6AF1@xxxxxxxxxxxxxxxx
Here is an example:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/9/2007
Time: 10:16:22 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: mindy
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 436
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
The caller process is what gives it away. It is inetinfo.exe. The
only externally exposed IIS is the RWW.
"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:OYoNTQokHHA.5024@xxxxxxxxxxxxxxxxxxxxxxx
How are you determining that these are RWW login attempts? What is
the actual security event being logged?
"JEC" <thejohncarlson@xxxxxxxxxxxxxxxxxxx> wrote in message
news:9852BEC9-023D-48CE-BE82-5AC1744D3081@xxxxxxxxxxxxxxxx
I am a computer consultant who manages a dozen SBS 2003 networks.
About a week ago, I received my daily report and noticed there had
been 1700 failed login attempts on this server. Upon examining the
security logs, I discovered that there were 9 login attempts a
second, trying to login to the RWW with random user names. It did
not appear that any were successful.
Yesterday afternoon, it happened to another one of my customers.
1100 login attempts to the RWW in a very short amount of time. All
with random user names. Again it appeared none were successful.
Has anyone else seen anything like this happening?
My servers are completely patched, and all users have very strong
passwords. Anyone else have any suggestions of steps I should take
to prevent this?
Is there a way to limit the number of login attempts to the RWW?
Any help is greatly appreciated.
.
- References:
- Re: Hacking attempts?
- From: Steve
- Re: Hacking attempts?
- From: JEC
- Re: Hacking attempts?
- From: JEC
- Re: Hacking attempts?
- From: kj
- Re: Hacking attempts?
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Hacking attempts?
- Prev by Date: Re: switching from POP3 to exchange - need some help.
- Next by Date: Re: switching from POP3 to exchange - need some help.
- Previous by thread: Re: Hacking attempts?
- Next by thread: Re: Hacking attempts?
- Index(es):
Relevant Pages
|
