sec audit failures

Posted on 2004-11-17
Last Modified: 2010-04-11
I'm rather amature when it comes to security
Can anyone tell me what this log means
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: admins
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: YOUR-NQLT98LCOR
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address:
  Source Port: 0

What I've got is a win2k3 server. It uses NAT with no firewall.  This log showed up sunday just gone between 12am and 1am in 5 sec intervals. I thought it was rather random. Then last night it showed up from 11:45pm until 1:40am 10 sec intervals. Looking at the logs I can see lots of different combinations of the word administrator ie administra, administrador etc etc.
I have a dynamic external ip address which changes every other day.
I notice there is no source port at all, and I don't know if this is my own external ip thats getting reported. I have ports
4662tcp , 12827 udp
6881 - 6889
and L2TP

I'm not sure if this is something on my network or something external. In all the logs the computer name is the same, I don't have a computer with that name on the network.
Question by:dj_relentless
    LVL 87

    Accepted Solution

    It looks like someone from outside tried to logon to your system by trying different versions of usernames/passwords. turn off file and printer sharing on the NIC to the wan, also disable NetBIOS over tcp/ip in the wins tab of the advanced tcp/ip settings. This should make your server more difficult to be seen from the internet.
    LVL 4

    Author Comment

    thanks, i didn't event think about the configuration of the external interface

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now