?
Solved

Hacker Attempt?

Posted on 2007-10-01
6
Medium Priority
?
1,849 Views
Last Modified: 2013-12-04
Need to know what is going on here - SBS 2003 box - I found this in my server summary report email this AM.  Is this someone trying to hack into my server?

Source Event ID Last Occurrence Total Occurrences
  Security 529 10/1/2007 4:05 AM 69 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: 12345678
  Domain:  
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: MAINSERVER
  Caller User Name: MAINSERVER$
  Caller Domain: DKCONTRACTORS
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 1884
  Transited Services: -
  Source Network Address: -
  Source Port: -
 

Thanks,

Bill
0
Comment
Question by:billrush2
6 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 1050 total points
ID: 19996446
It's possible someone trying to hack, but if there is just one such entry I would not think so. Also, the username "12345678" seems more like a password than a username. It's possible one of your users put their password in the username field.

To stop password guessing attacks, set an account lockout policy, and pick a long and hard to guess password for the Administrator account (which can't be locked out). Also configure your firewall if you have one to restrict access.

You might look at the process with PID 1884

This is a useful link on this topic:

 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx



0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 450 total points
ID: 19996669
It's doubtful that these are hack attempts... please see my responses to this same question answered before:
http:Q_22471975.html
http:Q_22014387.html

Jeff
TechSoEasy
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:billrush2
ID: 19998521
Process 1884 is "inetinfo.exe".  Quick web search says that this is a Windows troubleshooting app.  I checked the location of this .exe and it is living in MS dirs, so I think it is not an external threat.  I would really like to know whay it is throwing the error and how to correct this.

Bill
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 1050 total points
ID: 19998674
Inetinfo.exe is the IIS web server. If the failed login is only sporadic I would ignore it, but if you getting doszens of them, then look at the IIS logs for the times around the failed login attempts to see where they are coming from, and what command they are trying to use.

In general you are better off implementing some basic security policies outlined above rather than worrying about each specific attempt.

Along that line, a good idea is to download and run MBSA and follow as many of the suggestions as reasonable:

 http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20002055
I wouldn't ignore it...  you should run through the troubleshooting steps outlined in this Newsgroup post to find out what's causing it:

http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/c52e05f867ba916/72ed0fda7acf615a?hl=en&lnk=st

Jeff
TechSoEasy
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question