Solved

Someboy keeps trying to log into my server

Posted on 2006-06-20
12
267 Views
Last Modified: 2013-12-04
... and this is what i get in the event viewer (mydomain is my domain):
How can i find out his IP address?
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      !@#
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SERVER1
       Caller User Name:      SERVER1$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      572
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
Comment
Question by:Cubbybulin
  • 5
  • 4
12 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Workstation Name : Server1 ??? what is it ?

Cheers,
Rajesh
0
 

Author Comment

by:Cubbybulin
Comment Utility
Thats my Server that they try to log into (I changed the name here)
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Okay, this has to do with IIS on the same box ? Do you need to have IIS on that box ? Can you describe more on 'role' of this box ?

Cheers,
Rajesh
0
 

Author Comment

by:Cubbybulin
Comment Utility
yeah i have IIS on it, and that needs to be on, i do have IIS logging enabled, but they are just a pain to look over, and so far I could not see anything weird. I need IIS for Exchange web access.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
I don't know but you should also have some more logs pertaining to the same. You need to find out the Event ID and only then this can be correlated to what problem it is coming from.

Cheers,
Rajesh
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Cubbybulin
Comment Utility
Event ID is 529
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Ok. Take a look at this;

http://www.windowsitpro.com/Article/ArticleID/38309/38309.html

Cheers,
Rajesh
0
 

Author Comment

by:Cubbybulin
Comment Utility
Yeah but I dont get this often, only around 1:00 in the morning, and only on the weekends. (not every weekend) And they keep trying different usernames, such as admin, guest, webmaster, and so on. We had somebody laid off a year ago, who right after that tried to log on, and always around midnight-early in the morning. He cant sleep. He might be back. I need to find out the IP address where they are trying to log on from.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
hmm, I understand. What kind of network infrastructure do you have ? You can enable logging on firewall or router and monitor it to see the inbound connections.

Cheers,
Rajesh
0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 125 total points
Comment Utility
Install a packet sniffer and log the packets coming to your outside interface.
Check the log next day ...

A good packet sniffer is ethereal


cheers
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now