wataru69
asked on
sbs hacking attempt.
Lately I get these quite a lot.
I suspect someone is trying to get in with remote desktop.
is that right?
I have changed the admin password, and we are behind a hardware firewall.
I did ip traces, and they always come from the UK and the USA.
should I report these? How can I do this?
I called my local police here and they say they cannot do anything if it does not originate from within my country (Belgium)
Any advise?
--------------------------
Critical Errors in Security Log
Source Event ID Last Occurrence Total Occurrences
Security 529 3/01/2010 4:59 597 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: CORRUTECH
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: SBSCORRUTECH
Caller User Name: SBSCORRUTECH$
Caller Domain: CORRUTECH
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6036
Transited Services: -
Source Network Address: 71.242.243.231
Source Port: 48107
I suspect someone is trying to get in with remote desktop.
is that right?
I have changed the admin password, and we are behind a hardware firewall.
I did ip traces, and they always come from the UK and the USA.
should I report these? How can I do this?
I called my local police here and they say they cannot do anything if it does not originate from within my country (Belgium)
Any advise?
--------------------------
Critical Errors in Security Log
Source Event ID Last Occurrence Total Occurrences
Security 529 3/01/2010 4:59 597 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: CORRUTECH
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: SBSCORRUTECH
Caller User Name: SBSCORRUTECH$
Caller Domain: CORRUTECH
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6036
Transited Services: -
Source Network Address: 71.242.243.231
Source Port: 48107
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
follow up comment:
Every day I start by going through all the attempts.
the situation has improved since I implemented a strong lockout policy.
Next week I will also change the administrator name. I have to check the consequenses for the existing situation first.
And every morning I send out abuse reports to the service providers, or whoever I find as a responsible by doing a whois. for IP's in the UK and US I usually get a reply that they will take some action. For China (most attempts) I usually get no reply.
Thanks all for the advise.
Every day I start by going through all the attempts.
the situation has improved since I implemented a strong lockout policy.
Next week I will also change the administrator name. I have to check the consequenses for the existing situation first.
And every morning I send out abuse reports to the service providers, or whoever I find as a responsible by doing a whois. for IP's in the UK and US I usually get a reply that they will take some action. For China (most attempts) I usually get no reply.
Thanks all for the advise.
If you don't want to do that I would make sure you have strong password on everything, you can also look at blocking the IP's at your firewall