Login Errors Seem to indicate we are being hacked?

Hi,
In the logs this morning for one of my clients I have had about 500 failed
logins in teh Security logs. I looked at the Security Event Log and filtered
for failures and there were hundreds of attempts in very quick succession
some using the same user name (and presumably different passwords) and then
loads of different user names one after the other which sounds like a brute
force attempt to gain access.

We use very strong passwords so I am not worried they will have got in, but
I would like to ascertain how they were doing it as no IP addresses were
quoted so they weren't getting in via the net (unless they were somehow
hiding their IP Address). The typical log entry looks like this:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/09/2008
Time: 12:29:41
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: pentium
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER01
Caller User Name: SERVER01$
Caller Domain: MOUNTAINASH
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1692
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

How do you interrogate the above entry into a meaningful explanation of how
they were logging in. Ie what is a logon type 3 and what do the caller Login
ID and Process ID tell me??

Any help appreciated.

Siv
--
Martley, Near Worcester, UK
.

Relevant Pages

  • FW: Trace of 139 attack?
    ... administrator logins to be locked out after 3 attempts, ... attack, unless you're running terminal server, in which all logins are ... For example, passprop.exe allows the Administrator ... > deleting the logs he cannot do it. ...
    (Focus-Microsoft)
  • Re: SSH compiled with backdoor
    ... backdoor passwd into the ssh and wont show up in wtmp, ... ever he logs in as) invisible, so say u login with the username root and ... your use the global hidden passwd it will allow him on as root. ... the file that logs all the logins with time stamps and src ips is "dev/saux" ...
    (Incidents)
  • Re: Login Errors Seem to indicate we are being hacked?
    ... wired LAN and I was wondering if the logins were coming through that. ... Switch on SMTP logging and in the logs you will find the IP to block if you ... Logon Failure: ... Caller User Name: SERVER01$ ...
    (microsoft.public.windows.server.sbs)
  • Re: User logging
    ... Logins and file access would do just fine. ... accessing User B account when User B has left office. ... to enable that (and look through the lengthy logs). ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User logging
    ... Logins and file access would do just fine. ... User B account when User B has left office. ... enable that (and look through the lengthy logs). ...
    (microsoft.public.windowsxp.security_admin)