troubleshooting Question

Mysterious Failed Login Attempts on a server

Avatar of StewartTechnologies
StewartTechnologiesFlag for United States of America asked on
1 Comment1 Solution1328 ViewsLast Modified:
Within the last month, my server has had several failed login attempts on two nights.  We have had login attempts in the past, but they always give us a source IP address to trace the origin of the attack.  This latest round however, there is no source IP address.  The attacks happened on 3/6 and 3/21, all overnight and over the span of one hour.

This is one of the logs we have:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            3/23/2010
Time:            1:27:36 PM
User:            NT AUTHORITY\SYSTEM
Computer:      BOSS
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      admin
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      BOSS
       Caller User Name:      BOSS$
       Caller Domain:      RC
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2312
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

The process ID does show up on our server as INETINFO.EXE.  

Could they hacking IIS or is there something else I can do to lock them out.


Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros