Re: ID-ing Hackers

MikeG wrote:
My Server Security Log recorded (160) 529 logon failure events during a 10 minute interval, one failure about every 6-7 seconds.
Is there a way to trace this to the source to find out who is doing this? I have SBS 2003 STD R2 Edition.

A sample of the event follows. Thanking you in advance for your help.

Security 529 Logon Failure: Reason: Unknown user name or bad password User Name: crack Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SERVER Caller User Name: SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1828 Transited Services: - Source Network Address: - Source Port: -


There is a log level for RRAS that can be enabled, called 'tracing' in the RRAS manager, but it generates a large volume of fairly incomprehensible logs. A more cost-effective way is to buy a router which can log usefully, if your present one cannot.

It's not really very useful, as nearly all malevolent activity on the Internet is carried out from some home computer which has been cracked, possibly for months or years. For every home user who has up-to-date AV and spyware detection, there are ten or twenty who don't. The level of awareness of security issues of most computer users is on a par with their knowledge of quantum mechanics.

Almost certainly, you're being hit by a script rather than by a human, and you'll never track the real culprit. You won't even get a single IP address to block, as there is probably a collection of 'owned' machines, a so-called botnet, involved.

I'm sure you know the score: don't open any ports you don't need, restrict remote access to the users who really need it, beat them with a stick (sorry Susan) until they use decent passwords, use a second method of authentication if possible (certificates etc.), restrict connection to a few IP addresses or ranges, and so on. If the remote users are managers, and therefore immune to sticks, reason and suchlike, at least tell them in writing that the security of the network depends on the quality of their passwords.
.

Relevant Pages

  • RE: Event ID 529
    ... ISA is part of the Premium install. ... is that you already have a good security solution in place. ... Logon Failure: ... Caller User Name: MYSVRNAME$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Update Post Regarding Logon events after Trend 3.5 Upgrade
    ... Trend Response: ... Security Server on my server but the file TMVS.exe was available so I was ... After doing an upgrade from CSM 3.0 to CSM 3.5 I've been seeing Logon ... Caller User Name: SBS$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Login Errors Seem to indicate we are being hacked?
    ... I've got ISA configured so it only allows SMTP and RWW, and I use RWWGuard for RWW security, so I'm confident that in my case it can't be anything but SMTP. ... Logon Failure: ... Caller User Name: SERVER01$ ... Ie what is a logon type 3 and what do the caller Login ...
    (microsoft.public.windows.server.sbs)
  • Re: slow iis 6.0 performance
    ... If yes, the security has ... compatible web farm Session replacement for Asp and Asp.Net ... > Logon Failure: ... > Caller User Name: - ...
    (microsoft.public.inetserver.iis)
  • Re: Stop illegal login attempts?
    ... How can I stop illegal login attempts to my SBS box Exchange server? ... I had a guy last night try for over 3 hours to guess my username/password which generated over 610 security errors in the security event log. ... Logon Failure: ... Caller User Name: WX98$ ...
    (microsoft.public.windows.server.sbs)