Hacker Attempt?

Need to know what is going on here - SBS 2003 box - I found this in my server summary report email this AM.  Is this someone trying to hack into my server?

Source Event ID Last Occurrence Total Occurrences
  Security 529 10/1/2007 4:05 AM 69 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: 12345678
  Domain:  
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: MAINSERVER
  Caller User Name: MAINSERVER$
  Caller Domain: DKCONTRACTORS
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 1884
  Transited Services: -
  Source Network Address: -
  Source Port: -
 

Thanks,

Bill
billrush2Asked:
Who is Participating?
 
r-kConnect With a Mentor Commented:
It's possible someone trying to hack, but if there is just one such entry I would not think so. Also, the username "12345678" seems more like a password than a username. It's possible one of your users put their password in the username field.

To stop password guessing attacks, set an account lockout policy, and pick a long and hard to guess password for the Administrator account (which can't be locked out). Also configure your firewall if you have one to restrict access.

You might look at the process with PID 1884

This is a useful link on this topic:

 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx



0
 
Jeffrey Kane - TechSoEasyConnect With a Mentor Principal ConsultantCommented:
It's doubtful that these are hack attempts... please see my responses to this same question answered before:
http:Q_22471975.html
http:Q_22014387.html

Jeff
TechSoEasy
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
billrush2Author Commented:
Process 1884 is "inetinfo.exe".  Quick web search says that this is a Windows troubleshooting app.  I checked the location of this .exe and it is living in MS dirs, so I think it is not an external threat.  I would really like to know whay it is throwing the error and how to correct this.

Bill
0
 
r-kConnect With a Mentor Commented:
Inetinfo.exe is the IIS web server. If the failed login is only sporadic I would ignore it, but if you getting doszens of them, then look at the IIS logs for the times around the failed login attempts to see where they are coming from, and what command they are trying to use.

In general you are better off implementing some basic security policies outlined above rather than worrying about each specific attempt.

Along that line, a good idea is to download and run MBSA and follow as many of the suggestions as reasonable:

 http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I wouldn't ignore it...  you should run through the troubleshooting steps outlined in this Newsgroup post to find out what's causing it:

http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/c52e05f867ba916/72ed0fda7acf615a?hl=en&lnk=st

Jeff
TechSoEasy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.