Windows 2003 Under Attack
Posted on 2006-06-20
I have a Windows 2003 Server under attack.
Something is trying to log into the computer.
Looking at the event log, several computers (different) and not on my domain are trying over and over again to log into accounts that they shouldn't even know about.
Reason: Account locked out
User Name: supplies
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SAKUMA-DQ19P9SO
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 220.127.116.11
Source Port: 0
Here is an example
I have security to lock out accounts after 5 tries. Using strong passwords but this user's account is going to get hit thousands of times.
In my router, I think I have blocked all ports from 1800 to 50000. This worked for about 4 hours and then the hits came back.
If I unplug the router from the Internet, the login attempts stop.
Give me some advice. I've been at this for two days now.