sbs hacking attempt.

Posted on 2010-01-04
Last Modified: 2013-11-28
Lately I get these quite a lot.
I suspect someone is trying to get in with remote desktop.
is that right?
I have changed the admin password, and we are behind a hardware firewall.
I did ip traces, and they always come from the UK and the USA.
should I report these? How can I do this?

I called my local police here and they say they cannot do anything if it does not originate from within my country (Belgium)

Any advise?

Critical Errors in Security Log

Source Event ID Last Occurrence Total Occurrences
  Security 529 3/01/2010 4:59 597 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: admin
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: SBSCORRUTECH
  Caller User Name: SBSCORRUTECH$
  Caller Domain: CORRUTECH
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 6036
  Transited Services: -
  Source Network Address:
  Source Port: 48107
Question by:wataru69
    LVL 11

    Expert Comment

    You can't really report these.... Best defense would be to get a VPN which you have to connect to before RDP-ing to the server...  you can set this up on your server with the Microsoft tools..

    If you don't want to do that I would make sure you have strong password on everything, you can also look at blocking the IP's at your firewall
    LVL 77

    Accepted Solution

    If you have the time in a few cases you can track the IP with reverse IP lookups. As a rule that will not tell you who they are or even reference the exact IP but can sometimes tell you to what ISP the subnet is registered. You can then report it to them. I have had some positive feed back when doing so from some ISP's but hackers seldom use the same IP twice so it is of little value.

    Best bet is a good defense.
    -Do not use common account names like Administrator, Admin, User, BackUp. (i.e. disable the administrator account)
    -Make sure you enable group policies for complex passwords. The default is 7 characters with at least 1 number or symbol and one capital. Others suggest long pass-phrases are as complex and easier to remember like whattimeisittoday
    - Make sure lockout are configured in Group Policy. Most hackers will give up if they are locked out for 1/2 hour after 4 wrong guesses. That doesn't stop them from guessing with account names that do not exist
    -The policy to edit is the default domain policy and under computer configuration | windows settings | security settings | account policies | password policies
    -RDP should not be open to the Internet. SBS is unique in that it has Remote Web Workplace which is much more secure. Not only does it use SSL but a port scan doesn't indicate 3389 is open and also 4125 (which RWW uses) does not show as open until a secure connection has been established on 443 with SSL. Traditionally hackers scan for open 3389.
    LVL 76

    Assisted Solution

    As the prior comment, you can setup a VPN PPTP/IPSEC/L2TP.
    You can also alter the RDP port to something else.

    You can also report these attempts as abuse to the provider. is a verizon IP (

    An additional precaution you can take is to prevent an administrator account from connecting via RDP/Terminal Service.  The limited user would need to use runas to elevate their rights.
    Add the limited user to the Remote Desktop Group.


    Author Comment

    follow up comment:
    Every day I start by going through all the attempts.
    the situation has improved since I implemented a strong lockout policy.
    Next week I will also change the administrator name. I have to check the consequenses for the existing situation first.
    And every morning I send out abuse reports to the service providers, or whoever I find as a responsible by doing a whois. for IP's in the UK and US I usually get a reply that they will take some action. For China (most attempts) I usually get no reply.
    Thanks all for the advise.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
    In Microsoft Access, learn how to “cascade” or have the displayed data of one combo control depend upon what’s entered in another. Base the dependent combo on a query for its row source: Add a reference to the first combo on the form as criteria i…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now