Re: EventID 529 Logged 1723 Times in one Day!

Close Ports 80 and 21 immediately
There is no reason for either to be open
And change all passwords for all accounts immediately and start looking for other stuff

"David" <David@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:05DCF17C-B1BF-46C7-8488-C6CB96D60131@xxxxxxxxxxxxxxxx
Thanks for the prompt response. The usual ports are open for RWW, VPN & FTP
plus VNC. So: 80, 25, 443, 444, 4125, 1723, 3389, 47, 123, 21 & VNC
5500,5800 & 5900. Std and I'm using a hardware firewall router with
corresponding ports open. I guess I could change the port assignments. Any
useful KB articles on same?
--
David @ Solsletta


"Cris Hanna [SBS-MVP]" wrote:

> with all those different names, appears to be a hack attack
> when you look at the event do you see an IP are they consistent?
>
> have you gone to www.grc.com and run Shields Up to see what's open?
> Is port 80 open?
> Is port 21 open for FTP?
>
> Are you running Std. or Premium?
> If Std. what are you doing for a firewall?
> "David" <David@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:5B853CCB-3DB3-41A5-A7BB-7EA41680AB2B@xxxxxxxxxxxxxxxx
> This is appearing in the logswith varying User Names:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 14/09/2007
> Time: 02:18:30
> User: NT AUTHORITY\SYSTEM
> Computer: MAC
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: pop
> Domain: MACPROSOL
> Logon Type: 8
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: MAC
> Caller User Name: MAC$
> Caller Domain: MACPROSOL
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 2144
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> The events are logged consistently but are intermittent. Generally
> occurring every 2 seconds for several hours with one user name then
> ceasing
> for a few hours or days before starting with another user name.
> Examples of
> names are: pop, dns, test123, admin, administrator.
>
> Hack attempt and apart from turning off remote access any ideas?
> --
> David @ Solsletta
>

Relevant Pages

  • Re: Another security question/issue.
    ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Been hacked about 4 times now. Wanna be the 5th?
    ... So you mean your firewall blocks all outbound access other than to port 80 ... users can logon to your server. ... Caller User Name: KINGSERVER2000$ ...
    (microsoft.public.windows.server.security)
  • Re: SBS SP2 w/ISA Error 529
    ... When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10. ... Source port isn't the same as the port your server is listening on. ... Why is my server unable to lock out the Administator account?? ... > Caller User Name: MOBILE01$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Another security question/issue.
    ... There are now MASSIVE attacks on port 25 all over the world. ... is trying to hack port 25, hack server / try to relay. ... Logon Process: Advapi ... Caller User Name: servername$ ...
    (microsoft.public.windows.server.sbs)
  • [PATCH 2.6.14-rc2 2/2] libata: Marvell function headers
    ... * @base: port base address ... * LOCKING: ... * Inherited from caller. ... * Disable ints, cleanup host memory, call general purpose ...
    (Linux-Kernel)
Loading