Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Suspected hacking attempts

Avatar of morse57
morse57 asked on
VPNSBSOS Security
9 Comments1 Solution2879 ViewsLast Modified:
Hi folks

I need some help with an apparent security problem, please.
I am getting events as below, in random blocks - nothing or several days, then up to a hundred similar events in the space of a few hours.  I suspect it is a hacking attempt because there are different generic usernames being employed, i.e. admin, root, www, administrator, test, master, etc.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            26/03/2007
Time:            04:27:13
User:            NT AUTHORITY\SYSTEM
Computer:      OUR-SERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      test
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      OUR-SERVER
       Caller User Name:      OUR-SERVER$
       Caller Domain:      OUR-DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2592
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

As you can see, the eventlog is no help in identifying the port being used.
We run a vpn for two users within the organisation and MS Exchange within SBS2003.  I have port-scanned up to port 1055 using Shields-Up & everything is stealthed, except the following ports:
Open - 25 - smtp
Closed - 110 -pop3
open - 443 - https
open - 444 - snmp

Do you think that these are hacking attempts?  
Do I need these ports open for our mail & remote users?
Is there a way I can get information as to the originating port?

Any help appreceiated
Many thanks