Cubbybulin
asked on
Someboy keeps trying to log into my server
... and this is what i get in the event viewer (mydomain is my domain):
How can i find out his IP address?
Logon Failure:
Reason: Unknown user name or bad password
User Name: !@#
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVER1
Caller User Name: SERVER1$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: -
Source Port: -
How can i find out his IP address?
Logon Failure:
Reason: Unknown user name or bad password
User Name: !@#
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVER1
Caller User Name: SERVER1$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: -
Source Port: -
ASKER
Thats my Server that they try to log into (I changed the name here)
Okay, this has to do with IIS on the same box ? Do you need to have IIS on that box ? Can you describe more on 'role' of this box ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
yeah i have IIS on it, and that needs to be on, i do have IIS logging enabled, but they are just a pain to look over, and so far I could not see anything weird. I need IIS for Exchange web access.
I don't know but you should also have some more logs pertaining to the same. You need to find out the Event ID and only then this can be correlated to what problem it is coming from.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Event ID is 529
Ok. Take a look at this;
http://www.windowsitpro.com/Article/ArticleID/38309/38309.html
Cheers,
Rajesh
http://www.windowsitpro.com/Article/ArticleID/38309/38309.html
Cheers,
Rajesh
ASKER
Yeah but I dont get this often, only around 1:00 in the morning, and only on the weekends. (not every weekend) And they keep trying different usernames, such as admin, guest, webmaster, and so on. We had somebody laid off a year ago, who right after that tried to log on, and always around midnight-early in the morning. He cant sleep. He might be back. I need to find out the IP address where they are trying to log on from.
hmm, I understand. What kind of network infrastructure do you have ? You can enable logging on firewall or router and monitor it to see the inbound connections.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cheers,
Rajesh