Someboy keeps trying to log into my server

... and this is what i get in the event viewer (mydomain is my domain):
How can i find out his IP address?
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      !@#
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SERVER1
       Caller User Name:      SERVER1$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      572
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
CubbybulinAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
rafael_accConnect With a Mentor Commented:
Install a packet sniffer and log the packets coming to your outside interface.
Check the log next day ...

A good packet sniffer is ethereal


cheers
0
 
rsivanandanCommented:
Workstation Name : Server1 ??? what is it ?

Cheers,
Rajesh
0
 
CubbybulinAuthor Commented:
Thats my Server that they try to log into (I changed the name here)
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
rsivanandanCommented:
Okay, this has to do with IIS on the same box ? Do you need to have IIS on that box ? Can you describe more on 'role' of this box ?

Cheers,
Rajesh
0
 
CubbybulinAuthor Commented:
yeah i have IIS on it, and that needs to be on, i do have IIS logging enabled, but they are just a pain to look over, and so far I could not see anything weird. I need IIS for Exchange web access.
0
 
rsivanandanCommented:
I don't know but you should also have some more logs pertaining to the same. You need to find out the Event ID and only then this can be correlated to what problem it is coming from.

Cheers,
Rajesh
0
 
CubbybulinAuthor Commented:
Event ID is 529
0
 
rsivanandanCommented:
Ok. Take a look at this;

http://www.windowsitpro.com/Article/ArticleID/38309/38309.html

Cheers,
Rajesh
0
 
CubbybulinAuthor Commented:
Yeah but I dont get this often, only around 1:00 in the morning, and only on the weekends. (not every weekend) And they keep trying different usernames, such as admin, guest, webmaster, and so on. We had somebody laid off a year ago, who right after that tried to log on, and always around midnight-early in the morning. He cant sleep. He might be back. I need to find out the IP address where they are trying to log on from.
0
 
rsivanandanCommented:
hmm, I understand. What kind of network infrastructure do you have ? You can enable logging on firewall or router and monitor it to see the inbound connections.

Cheers,
Rajesh
0
All Courses

From novice to tech pro — start learning today.