Unauthorised attempts to logon to network

Hi
I have noticed this morning many many attempts to log onto our network from outside with made-up random user names - Lots of failure audits in the security Log.
I guess this will be someone trying to access our network but cannot shut down access as we have remote and home workers using RWW.
Is there any way i can identify the IP address so I can block it on the firewall?
Many thanks
LVL 3
DaveA66Asked:
Who is Participating?
 
svgnmlCommented:
Since the logon process is IIS then the IP address should be in the IIS log usually located in
C:\WINDOWS\system32\LogFiles\

You'll have more than one IIS log directory on SBS2003 named W3SVC1, W3SVC2, etc
Match the time stamp in the log with the time of the event in the security log.
0
 
DaveA66Author Commented:
Sorry, below is a typica entry in the Security Log


Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      info2
       Domain:            ipofficeltd
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      ipofficeltd
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1640
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

0
 
DaveA66Author Commented:
yes found it.
Someone trying to access our FTP server.
Many thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.