Re: Hacking Attempts ?

Hi

Im seeing this in clients servers also. Trying to research some 3rd party to
give better reporting function, got no idea which 'door' this webmaster is
trying.


"Jeff Teel" <jdteel@RMoveThis sugardog.com> wrote in message
news:Ogci1Cx5HHA.464@xxxxxxxxxxxxxxxxxxxxxxx
I took a look at my Authentication logs this morning and noticed that I had
a "webmaster" username attempt yesterday as well. There were eight attempts
with times of:
7:17:25
7:17:26
7:17:28
7:17:29
7:17:45
7:17:47
7:17:48
7:17:50

All attempts mirror the one below except for the times of course.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/24/2007
Time: 7:17:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER1
Caller User Name: SERVER1$
Caller Domain: businessnet
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2032
Transited Services: -
Source Network Address: -
Source Port: -




"Colin" <Colin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:54463927-E34B-41FA-9279-747CC0DF9687@xxxxxxxxxxxxxxxx
Hi all,

I read a thread here a few days ago regarding a possible hacking attempt.
The user trying to logon was 'webmaster', quite a commom hacker logon.
I've
just received 3 daily server performance reports from 3 different sites
all
reporting the same issue. The most concerning of these reports is that I
have
RWW (and OWA) locked down to certain ISP IP ranges or from my own IP
only.
One system even has a double authentication component. I find it strange
that
all of these servers got hit by a hacker at the same time (2355 hrs). No
systems have been compromised but it seems a bit of a coincidence that a
'hacker' tried all 3 of my installations at the same time. Has anyone
else
had this behaviour or am I just unlucky that Mr Hacker decided to pick on
me
and 3 of my clients only last night ?

Regards Colin.




.

Relevant Pages

  • Re: NTP vs chrony comparison (Was: oscillations in ntp clock synchronization)
    ... servers pogo.udel.edu and rackety.udel.edu are synchronized via GPS and ... I invite the skeptics to peek at them from time to time. ... If chrony is reporting the same measurements, ... Certainly for ntpd, ...
    (comp.protocols.time.ntp)
  • Re: Start again on the newbies networking problem. Re: Need help (of course) setting up network
    ... As you are working on this, do download the latest ... > servers that will help you later. ... ; guest account = pcguest ... ; logon script = %m.bat ...
    (Fedora)
  • Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000
    ... > Strike the comment about the interactive logon. ... I still don't see the need for delegation. ... >>> tested it on two servers with no problems. ... >>> interactive logon - thus WMI to remote machine should be a single hop) ...
    (microsoft.public.win32.programmer.wmi)
  • Re: cant receive or send e-mail
    ... Does it show anything for Logon Information? ... Also, on the Servers tab, does the incoming server belong to the ... Do not enable the "Log on using Secure Password Authentication". ... Does it also do so before receiving? ...
    (microsoft.public.windows.vista.mail)
  • Re: Disapearing DC
    ... This computer was not able to set up a secure session with a domain ... There are currently no logon servers available to service the logon request. ... This may lead to authentication problems. ...
    (microsoft.public.windows.server.active_directory)