Multiple Unauthorised logon attempts
The Event Viewer on our SBS2003 server (also runs the MSexchange) has shown two instances of logging multiple 529 errors as below.
There are multiple entries logged in succession over approx ten minutes. The messages are all as below except the username entry are random (eg , null, admin, 1234, bevis, shannon,soccer,etc)
During one apparent attack I disconnected the company broadband and they stopped instantly, so it apparently looks as though this is coming from outside the network.
Can anybody advise on how we should trace and deal with this situation please?
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 30/01/2008
Time: 04:14:55
User: NT AUTHORITY\SYSTEM
Computer: SEMA01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: shannon
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: Severname
Caller User Name: servername$
Caller Domain: SEMA
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2712
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
There are multiple entries logged in succession over approx ten minutes. The messages are all as below except the username entry are random (eg , null, admin, 1234, bevis, shannon,soccer,etc)
During one apparent attack I disconnected the company broadband and they stopped instantly, so it apparently looks as though this is coming from outside the network.
Can anybody advise on how we should trace and deal with this situation please?
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 30/01/2008
Time: 04:14:55
User: NT AUTHORITY\SYSTEM
Computer: SEMA01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: shannon
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: Severname
Caller User Name: servername$
Caller Domain: SEMA
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2712
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to TechSoEAsy and SunBow
The Server is protected by ISA 2004.
I have downloaded netmonitor and will use it to track any further attacks
This problem has not re-occurred since we tightened up our securiy but we are changing our server ip and settings as a precaution.
We have implemented a strong passwords policy and restricted access remotely only to those few users actually needing it. We have further implemented a lockout policy after three unsucessful login attempts.
Why does the security log not actually record the originating IP of the logon attempts.
Is it Possible to have an email alert to an administrator generated for specific events?
Any advice on any other actions we could/should be taking?
The Server is protected by ISA 2004.
I have downloaded netmonitor and will use it to track any further attacks
This problem has not re-occurred since we tightened up our securiy but we are changing our server ip and settings as a precaution.
We have implemented a strong passwords policy and restricted access remotely only to those few users actually needing it. We have further implemented a lockout policy after three unsucessful login attempts.
Why does the security log not actually record the originating IP of the logon attempts.
Is it Possible to have an email alert to an administrator generated for specific events?
Any advice on any other actions we could/should be taking?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to TechSoEAsy and SunBow - both offered prompt and relevant 'pointers' to my problem.
for which I am grateful However, neither really provided the definitive answer to what was happening or definitive resolution. Either subsequent actions I carried out resolved the issue or the attacker simply gave up? Sorry , for leaving the question open for so long and thank you once again to the guys - Despite the 'unresolved' ending to this I feel both they are worthy of the points awarded.
for which I am grateful However, neither really provided the definitive answer to what was happening or definitive resolution. Either subsequent actions I carried out resolved the issue or the attacker simply gave up? Sorry , for leaving the question open for so long and thank you once again to the guys - Despite the 'unresolved' ending to this I feel both they are worthy of the points awarded.
http://www.google.com/search?q=site%3Awww.experts-exchange.com+MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Have you reviewed any of those to see if they match your problem?
Do you have any services running under a user or administrator account?
Jeff
TechSoEasy