Re: EventID 529 Logged 1723 Times in one Day!
- From: David <David@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Sep 2007 01:38:01 -0700
Very handy - thanks. May use it on other servers but fortunately FTP is
turned off on this one.
--
David @ Solsletta
"Bitsmasher" wrote:
Hi David,.
1723 is nothing. I have had over 12000 in a day!
I see this on my machines that run an FTP server. You will also find EventID
100 in the Event Viewer System log for corresponding dates and times. My
research has found that it is some scum sucking hacker using a script that
tries several userids and passwords to hack into your FTP since FTP does not
delay or lock out the account after so many failed attempts. Userid
Administrator is the most frequently tried. For more details on these
attempts on your server go to the following folder and check out the
logfiles there: C:\WINDOWS\system32\LogFiles\MSFTPSVC1
Here are a few things I have done to help me sleep better at night:
1. Rename the servers administrator account.
2. Insure all users that have permission to your FTP server have complex
passwords.
3. Go to http://blog.netnerds.net/index.php?s=banftpips.vbs and get
Chrissy MeMaire's script file - this will collect and ban the IP addresses
of hacks trying to get in as administrator.
If anyone uses other methods to deal with this issue please reply!
Regards,
Bs.
"Ryan" <Ryan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D5C7FCF6-7D7F-4559-B213-D2B8C4BF2003@xxxxxxxxxxxxxxxx
Hi David,
Logon Process: IIS
Logon Type 8: NetworkCleartext - Logon with credentials sent in the clear
text, for example logon to IIS with the basic authentication.
It looks like someone is running some scripts against your IIS. Anything
to
be found in your IIS log-files?
"David" wrote:
Forgot. No - no source IP.
--
David @ Solsletta
"Cris Hanna [SBS-MVP]" wrote:
with all those different names, appears to be a hack attack
when you look at the event do you see an IP are they consistent?
have you gone to www.grc.com and run Shields Up to see what's open?
Is port 80 open?
Is port 21 open for FTP?
Are you running Std. or Premium?
If Std. what are you doing for a firewall?
"David" <David@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5B853CCB-3DB3-41A5-A7BB-7EA41680AB2B@xxxxxxxxxxxxxxxx
This is appearing in the logswith varying User Names:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 14/09/2007
Time: 02:18:30
User: NT AUTHORITY\SYSTEM
Computer: MAC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: pop
Domain: MACPROSOL
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MAC
Caller User Name: MAC$
Caller Domain: MACPROSOL
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2144
Transited Services: -
Source Network Address: -
Source Port: -
The events are logged consistently but are intermittent. Generally
occurring every 2 seconds for several hours with one user name then
ceasing
for a few hours or days before starting with another user name.
Examples of
names are: pop, dns, test123, admin, administrator.
Hack attempt and apart from turning off remote access any ideas?
--
David @ Solsletta
- References:
- Re: EventID 529 Logged 1723 Times in one Day!
- From: Cris Hanna [SBS-MVP]
- Re: EventID 529 Logged 1723 Times in one Day!
- From: David
- Re: EventID 529 Logged 1723 Times in one Day!
- From: Ryan
- Re: EventID 529 Logged 1723 Times in one Day!
- From: Bitsmasher
- Re: EventID 529 Logged 1723 Times in one Day!
- Prev by Date: Re: ... restoring sbs 2003 ...
- Next by Date: Re: EventID 529 Logged 1723 Times in one Day!
- Previous by thread: Re: EventID 529 Logged 1723 Times in one Day!
- Next by thread: Re: What do you do with user accounts of former employees?
- Index(es):
Relevant Pages
|
|
