Mysterious Failed Login Attempts on a server
Within the last month, my server has had several failed login attempts on two nights. We have had login attempts in the past, but they always give us a source IP address to trace the origin of the attack. This latest round however, there is no source IP address. The attacks happened on 3/6 and 3/21, all overnight and over the span of one hour.
This is one of the logs we have:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/23/2010
Time: 1:27:36 PM
User: NT AUTHORITY\SYSTEM
Computer: BOSS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: BOSS
Caller User Name: BOSS$
Caller Domain: RC
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2312
Transited Services: -
Source Network Address: -
Source Port: -
The process ID does show up on our server as INETINFO.EXE.
Could they hacking IIS or is there something else I can do to lock them out.
Thanks,
STI
This is one of the logs we have:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/23/2010
Time: 1:27:36 PM
User: NT AUTHORITY\SYSTEM
Computer: BOSS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: BOSS
Caller User Name: BOSS$
Caller Domain: RC
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2312
Transited Services: -
Source Network Address: -
Source Port: -
The process ID does show up on our server as INETINFO.EXE.
Could they hacking IIS or is there something else I can do to lock them out.
Thanks,
STI
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.