hacking into our domain - suggestions on how to block

following on from one of my other questions, someone is trying to brute force guess our Administrator password. There were 3000+ attempts yesterday over a 3 hour period to guess the Administrator password. I need suggestions on:

a) how to stop it


b) how to track who it is

I have done the folowing so far:

- changed the administrator user name (and the password to a very strong one)

Also, if you suggest enabling logging on our firewall, please tell me how to do it for a pix 515!

Who is Participating?
Hi, what we do here is that we rename the real administrator account and create another account named "administrator" with no group membership (not even users) so these b*stards can play without risking to compromise true admin account.
Hi 5t34lth_G33k,


this is quite a good read on blocking the attacks, as far as tracing them goes i am not sure how to go about it as yet

you can have a look at the accounts lockout tools for AD as well
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

5t34lth_G33kAuthor Commented:

Thanks for the links. The first one describes how account locking policies are not really effective for web based services, which is correct, but it doesnt really help us all that much, since we are using the default web sites set up by Small Business Server 2003. We cant really edit the pages to use CATCHAS, since we dont have the expertise. However, Im pretty sure that our attacks are coming through our websites, since this is the failure audit logged in the event viewer:

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ***
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      ***
       Caller User Name:      ***$
       Caller Domain:      ***
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      608
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

I have blanked out the username/domain details.

Could this be our Outlook web access, or some other service (remote workplace etc) that is being hacked? If so, what options are open to us?

i am sorry mate, i am not familiar with SBS and especially the website side of "hacking"!
is the workstation name something on your network?
the first thing I'd be looking for is - do you have someone logged in as administrator on their desktop that's hitting your web site.  This is legitimate access but of course the local administrator account on a client machine's going to have access to nothing on your server, generating the errors again and again ad nauseum.  
You can take a look at your IIS logs (make sure source IP is being logged) to see what IP the requests were coming from at the time of the security audit log failures.  Don't forget your IIS logs will be in GMT+0hrs.

I've also shifted this across to the Windows Security Topic area.  The Experts there might be able to shed some more light on the situation but above would be my best guess at what's actually going on.
Sorry for the double post but I might add that these attacks are "normal" on a internet server.

If it's on your internal network you might want to setup a firewall in logging mode to determine the internal IP of your attacker.
DITSSINET is correct.  I'd rename the administrator account to something that you know and is not easily guessed.
5t34lth_G33kAuthor Commented:
DITSSINET - I have already renamed the account, but havent created a new one in its place. Surely its sufficient just to change the name? Why give them ANY account to play with, even if it has no rights?

alimu - I have checked the IIS logs, but it only looks like legitimate traffic. I expected there to be more entries with failed username/password messages, but I couldnt see any. IP logging is enabled in the default website properties, as are most of the other logging options. In response to your other question, the workstation name in the above log IS something on our network - it is in fact the server name and the caller username is the server name plus a '$' - any of this mean anything?

We again had 2000 attempts yesterday - if I could find out the IP of these attempts I would love to block it
Hi, you won't find anything in the IIS log for this type of attempt. This is made in RPC mode with administrative shares.

I suggest to create an account named "administrator" with no group membership because it's the default name of the administrator built-in account. This is a diversion... If the administrator account exists, they'll try to break it: even if they succeed, this is a waste of time. during this time, your real admin account is safe. Therefore your system is safe.

The "$" is for hidden shares: every windows machines (unless disabled in the registry) have these administratives shares: (\\servername\c$).

From what I see in your log above: I think the user is logged-on on the local administrator account of his workstation and the event log is only taking the "current username". I wouldn't bother, this can easily be an accident. If I'm logged on the local administrator account on my workstation and I try to access our intranet, I'll generate the same event in the event log.
5t34lth_G33kAuthor Commented:
yes I had thought that could be the cause, but its only very recently started to happen. We only have 15 users, so I can see that noone is logged in with local administrator.

So I take it that theres nothing I can do to track these authentication attempts?
Is the workstation name something on your network?

If you have a firewall you should consider blocking some of the ports and enable logging (i'm a ISA guy, I don't know pix at all) in order to track him down.
5t34lth_G33kAuthor Commented:
yes - its the server name (the DC/web server)

Im not a cisco guy either, so anything short of allowing ports, showing running config etc are beyond me.

I guess it is sufficient to have changed the administrator username - I will keep an eye on it

thanks for all your help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.