Re: Hack Attempt - Remote Web Workplace?
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Thu, 22 Nov 2007 19:33:52 +0000
jimlawrnc wrote:
On Nov 22, 8:26 am, frank <fr...@xxxxxxxxxx> wrote:I have a SBS 2003 R2 implementation that has the following services
exposed to the internet:
* Outlook Web Access,
* Remote Web Workplace,
* SMTP
Over the past two months I have seen the following event logs
appearing in the Security event log:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <server name>
Caller User Name: <server name>$
Caller Domain: <server domain name>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1880
Transited Services: -
Source Network Address: -
Source Port: -
I have noticed that the user can also be root, administrator as well.
My suspicion is that someone is trying to hack into the Outlook Web
Access or Remote Web Workplace applications by some kind of automated
mean (script etc). I would like to block the IP addresses of these
users at the firewall although there are no corresponding logs for
these security failures in the IIS log for these web applications.
How would I go about obtaining the IP addresses of these hackers? Is
there a more verbose mode of logging I can set within IIS?
What type of router do you have?
is loggin enabled on the router? if so you can get the IP from there
Agreed, the router is the best place to log incoming connections, but most routers don't have much spare RAM and will only store a few dozen connections at a time. You really need a syslog server running on the network to store the router's logs until you have no further use for them.
But you're wasting your time, you're not talking about half a dozen rogue IP addresses. The attacker, if one exists, will certainly not be using his own computer to open the connection, and he's unlikely to have just one or even a few at his disposal. You're also leaving yourself open to denial of service attacks, when the current attacker realises what you're doing and starts spoofing his source IP addresses as those of major ISPs. Even more likely is that there isn't actually an attacker, that you're seeing automated scanning software, which may well be running on tens or hundreds of thousands of hijacked computers. The most powerful distributed computing system on the planet is now claimed to be one particular botnet.
You have absolutely no alternative, under any circumstances, to using extremely good passwords on those accounts which can gain access externally, and if you do then password guessing will not be a problem.
.
- References:
- Hack Attempt - Remote Web Workplace?
- From: frank
- Re: Hack Attempt - Remote Web Workplace?
- From: jimlawrnc
- Hack Attempt - Remote Web Workplace?
- Prev by Date: Re: Business FIOS will cost more than hosted exchange! Help!
- Next by Date: Re: Business FIOS will cost more than hosted exchange! Help!
- Previous by thread: Re: Hack Attempt - Remote Web Workplace?
- Next by thread: RE: Hack Attempt - Remote Web Workplace?
- Index(es):
Relevant Pages
|
