I think I'm being cracked

I'm no expert on network security but I received an Event ID 539 last night from my SBS2003 DC informing me that a user had been locked out.   I looked at my logs this morning and found the entry.  The user name had been locked out of attempting to gain access to my DC.   I called the user to make sure that it in fact wasn't him and he informed me that he hadn't done anything that night.  This user does not have administrative privileges, but I am worried that if this person gains access to my DC even without admin privs he can wreak some havoc.

Here is the log info:

Logon Failure:
       Reason:            Account locked out
       User Name:      davidt
       Domain:      DOMAIN
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      THOMANNASPHALT2
       Caller User Name:      THOMANNASPHALT2$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 6052
       Transited Services: -
       Source Network Address:      166.137.138.137
       Source Port:      40978

Apparently a variety of ports were used: 40940, 40978, 41036

I'm not really sure what to do here to avoid having this happen again.  
dthomannAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TripyreCommented:
it may be a virus such as the Conficker worm.  The Conficker worm will attempt multiple accounts and lock them out as it uses brute force password hack.
 
http://support.microsoft.com/kb/962007 
0
neubdaCommented:
I dont think so. It's Logon Type 8, so it differs from normal worms. I would go for an "open" iis to the intenret or local network. More likely someone attempted several tries on a htaccess from... owa? If you have an iis you should search the logs or enable it for the time being.
0
dthomannAuthor Commented:
IIS is running with OWA.  What am I looking for in the logs for IIS?
0
dthomannAuthor Commented:
Also I did a trace on the ip address where the logon came from and found it was located in Wichita KA.  We're located in NC.
0
neubdaCommented:
Guess u can't do 2 much to prevent this if owa is open to everyone on the net. I would simply watch the logs if it happens again. If it does you could go a step ahead and try implementing an ips (expensive) or simply guard it with a firewall and a rate limit for http/s. It will not prevent the attacker from trying out passwords but it will slow him down.
Another task would be shutting down unencrypted http owa. Web Access over https requires form based authentication which should always be the only way to access owa!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.