sbs hacking attempt.

Lately I get these quite a lot.
I suspect someone is trying to get in with remote desktop.
is that right?
I have changed the admin password, and we are behind a hardware firewall.
I did ip traces, and they always come from the UK and the USA.
should I report these? How can I do this?

I called my local police here and they say they cannot do anything if it does not originate from within my country (Belgium)

Any advise?

Critical Errors in Security Log

Source Event ID Last Occurrence Total Occurrences
  Security 529 3/01/2010 4:59 597 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: admin
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: SBSCORRUTECH
  Caller User Name: SBSCORRUTECH$
  Caller Domain: CORRUTECH
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 6036
  Transited Services: -
  Source Network Address:
  Source Port: 48107
Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
If you have the time in a few cases you can track the IP with reverse IP lookups. As a rule that will not tell you who they are or even reference the exact IP but can sometimes tell you to what ISP the subnet is registered. You can then report it to them. I have had some positive feed back when doing so from some ISP's but hackers seldom use the same IP twice so it is of little value.

Best bet is a good defense.
-Do not use common account names like Administrator, Admin, User, BackUp. (i.e. disable the administrator account)
-Make sure you enable group policies for complex passwords. The default is 7 characters with at least 1 number or symbol and one capital. Others suggest long pass-phrases are as complex and easier to remember like whattimeisittoday
- Make sure lockout are configured in Group Policy. Most hackers will give up if they are locked out for 1/2 hour after 4 wrong guesses. That doesn't stop them from guessing with account names that do not exist
-The policy to edit is the default domain policy and under computer configuration | windows settings | security settings | account policies | password policies
-RDP should not be open to the Internet. SBS is unique in that it has Remote Web Workplace which is much more secure. Not only does it use SSL but a port scan doesn't indicate 3389 is open and also 4125 (which RWW uses) does not show as open until a secure connection has been established on 443 with SSL. Traditionally hackers scan for open 3389.
You can't really report these.... Best defense would be to get a VPN which you have to connect to before RDP-ing to the server...  you can set this up on your server with the Microsoft tools..

If you don't want to do that I would make sure you have strong password on everything, you can also look at blocking the IP's at your firewall
arnoldConnect With a Mentor Commented:
As the prior comment, you can setup a VPN PPTP/IPSEC/L2TP.
You can also alter the RDP port to something else.

You can also report these attempts as abuse to the provider. is a verizon IP (

An additional precaution you can take is to prevent an administrator account from connecting via RDP/Terminal Service.  The limited user would need to use runas to elevate their rights.
Add the limited user to the Remote Desktop Group.

wataru69Author Commented:
follow up comment:
Every day I start by going through all the attempts.
the situation has improved since I implemented a strong lockout policy.
Next week I will also change the administrator name. I have to check the consequenses for the existing situation first.
And every morning I send out abuse reports to the service providers, or whoever I find as a responsible by doing a whois. for IP's in the UK and US I usually get a reply that they will take some action. For China (most attempts) I usually get no reply.
Thanks all for the advise.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.