• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 309
  • Last Modified:

Someboy keeps trying to log into my server

... and this is what i get in the event viewer (mydomain is my domain):
How can i find out his IP address?
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      !@#
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SERVER1
       Caller User Name:      SERVER1$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      572
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
Cubbybulin
Asked:
Cubbybulin
  • 5
  • 4
1 Solution
 
rsivanandanCommented:
Workstation Name : Server1 ??? what is it ?

Cheers,
Rajesh
0
 
CubbybulinAuthor Commented:
Thats my Server that they try to log into (I changed the name here)
0
 
rsivanandanCommented:
Okay, this has to do with IIS on the same box ? Do you need to have IIS on that box ? Can you describe more on 'role' of this box ?

Cheers,
Rajesh
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
CubbybulinAuthor Commented:
yeah i have IIS on it, and that needs to be on, i do have IIS logging enabled, but they are just a pain to look over, and so far I could not see anything weird. I need IIS for Exchange web access.
0
 
rsivanandanCommented:
I don't know but you should also have some more logs pertaining to the same. You need to find out the Event ID and only then this can be correlated to what problem it is coming from.

Cheers,
Rajesh
0
 
CubbybulinAuthor Commented:
Event ID is 529
0
 
rsivanandanCommented:
Ok. Take a look at this;

http://www.windowsitpro.com/Article/ArticleID/38309/38309.html

Cheers,
Rajesh
0
 
CubbybulinAuthor Commented:
Yeah but I dont get this often, only around 1:00 in the morning, and only on the weekends. (not every weekend) And they keep trying different usernames, such as admin, guest, webmaster, and so on. We had somebody laid off a year ago, who right after that tried to log on, and always around midnight-early in the morning. He cant sleep. He might be back. I need to find out the IP address where they are trying to log on from.
0
 
rsivanandanCommented:
hmm, I understand. What kind of network infrastructure do you have ? You can enable logging on firewall or router and monitor it to see the inbound connections.

Cheers,
Rajesh
0
 
rafael_accCommented:
Install a packet sniffer and log the packets coming to your outside interface.
Check the log next day ...

A good packet sniffer is ethereal


cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now