Re: RWW Attack using 'Administrator'
- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
- Date: Thu, 10 May 2007 10:56:09 -0700
Logon Type 10 – RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2.
Do you have port 3389 open to the web? If so that could be TSgrinder attacks.
Yesterday, we had 455 access attempts from 220.127.116.11, in short bursts over 20 mins, with 2 - 3 attempts per second; data from the Security Log. Logon Type 10, LogOn Process User 32..
There is no sign of the password being compromised to give access, however it was made easier by having 'administrator' as the UserNname.
Is it possible to change the User Name to a new randomly generated name without causing downstream problems?