We help IT Professionals succeed at work.

Possible Hack Attempt

Last Modified: 2010-04-02
I receive this error message on my server and other error messages similar to it.  Like attempts to log in to the Admin account.  They show up in the event viewer/System log.  The error message shows up like 500 times if not more.  I just wonder what I can do to block this from happening.

The server was unable to logon the Windows NT account 'oracle' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
Watch Question


How could I track who was doing this.  The server is a windows 2000 server.
Top Expert 2006

If you have a router turn on logging for the login ports and send the log to a syslog server.  Also turn on account logging on the server.
who is doing this is probably a question you cant answer.
the question really is how are they getting to your server in the first place.
Is your server behind a firewall?
Are you publishing the whole server (ie it is either directly connected or a DMZ in your router)?
You should really be only publishing the ports you need.
(eg a mail server would only publish port 25)

If remote users need access to your SQL/Oracle database I would suggest that they should connect to a VPN first.
re-reading your question..
you probably dont have ORacle or sql - this is just the username that a hacker is attempting to log in with.
Hence you must have other ports open..
the attack is coming from inside your network from a computer that has a virus.
Depending on how many computers you have and what antivirus software you are using there will be several ways to narrow this down - but chances are it is from the computer that is running the slowest!
if you have cisco  firwall there an option to  enable  some trap dun  recall  the name, but its  function to make the hacker  thinks  he  hacked you while he just logged  his  details and may be tracked


We only have the ports open on the firewall that we need.  I was just wondering if I could see the IP address where this was coming from.
a lot of servers will see errors like this - proof that you should have strong password policies - especially for domain administrators.
2000 wont have enough logging for you to see the source IP address.
I would still be curious about which ports you have open.
If it is internal the event security log will often show the machine name (at least in 2003 server it does)
if you have vpn ports open - you can pretty much guarantee that this will happen.
This one is on us!
(Get your first solution completely free - no credit card required)
This one is on us!
(Get your first solution completely free - no credit card required)
One common attack I see is SQL injection. This is a attack that goes through a web application that does not have any input validation or it is handled at the client end (bad idea). I would look at your web server that is the front end for the database to see if the attack is coming from there. As a stop gap I would look to see where the requests are coming from and block that DNS name (blocking an IP is usually futile).

It is unlikely that this is an injection attack, you would see different symptoms. If the server is on the public internet, you are running a web server or a database server from this specific server you will want to consider other types of attacks that can, and might be happening.
For now I think it is best to identify where the traffic is coming from.

Oh!  one more thing I just though of.  

Configured scheduled tasks.    If you've specified the username and password for a task. then subsequently changed the password on the account, it will give you logon errors are well.

But you should also possible see errors related to the scheduled task as well.

chingmd is right, scheduled tasks can have this kind of result. On that note, not only a scheduled task but also any software that may be running on another computer that is attempting to login to the server. One example of a program that will automatically login to a remote system would be a backup program that was setup to store the backup in a remote location.
Another alternate possibility would be that a workstation or other computer has some sort of a scripted process that is attempting to login.


Thank you all for your input.  I will review answers and award points.

You are welcome. It was my pleasure to be of service.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.