sec audit failures
Posted on 2004-11-17
I'm rather amature when it comes to security
Can anyone tell me what this log means
Reason: Unknown user name or bad password
User Name: admins
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: YOUR-NQLT98LCOR
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 220.127.116.11
Source Port: 0
What I've got is a win2k3 server. It uses NAT with no firewall. This log showed up sunday just gone between 12am and 1am in 5 sec intervals. I thought it was rather random. Then last night it showed up from 11:45pm until 1:40am 10 sec intervals. Looking at the logs I can see lots of different combinations of the word administrator ie administra, administrador etc etc.
I have a dynamic external ip address which changes every other day.
I notice there is no source port at all, and I don't know if this is my own external ip thats getting reported. I have ports
4662tcp , 12827 udp
6881 - 6889
I'm not sure if this is something on my network or something external. In all the logs the computer name is the same, I don't have a computer with that name on the network.