Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Someboy keeps trying to log into my server

Posted on 2006-06-20
12
Medium Priority
?
305 Views
Last Modified: 2013-12-04
... and this is what i get in the event viewer (mydomain is my domain):
How can i find out his IP address?
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      !@#
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SERVER1
       Caller User Name:      SERVER1$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      572
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
Comment
Question by:Cubbybulin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
12 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16942115
Workstation Name : Server1 ??? what is it ?

Cheers,
Rajesh
0
 

Author Comment

by:Cubbybulin
ID: 16942182
Thats my Server that they try to log into (I changed the name here)
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16942718
Okay, this has to do with IIS on the same box ? Do you need to have IIS on that box ? Can you describe more on 'role' of this box ?

Cheers,
Rajesh
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 

Author Comment

by:Cubbybulin
ID: 16942881
yeah i have IIS on it, and that needs to be on, i do have IIS logging enabled, but they are just a pain to look over, and so far I could not see anything weird. I need IIS for Exchange web access.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16943048
I don't know but you should also have some more logs pertaining to the same. You need to find out the Event ID and only then this can be correlated to what problem it is coming from.

Cheers,
Rajesh
0
 

Author Comment

by:Cubbybulin
ID: 16943208
Event ID is 529
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16943261
Ok. Take a look at this;

http://www.windowsitpro.com/Article/ArticleID/38309/38309.html

Cheers,
Rajesh
0
 

Author Comment

by:Cubbybulin
ID: 16943412
Yeah but I dont get this often, only around 1:00 in the morning, and only on the weekends. (not every weekend) And they keep trying different usernames, such as admin, guest, webmaster, and so on. We had somebody laid off a year ago, who right after that tried to log on, and always around midnight-early in the morning. He cant sleep. He might be back. I need to find out the IP address where they are trying to log on from.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16943823
hmm, I understand. What kind of network infrastructure do you have ? You can enable logging on firewall or router and monitor it to see the inbound connections.

Cheers,
Rajesh
0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 500 total points
ID: 16945212
Install a packet sniffer and log the packets coming to your outside interface.
Check the log next day ...

A good packet sniffer is ethereal


cheers
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Screencast - Getting to Know the Pipeline

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question