login failure event more than 6000 times in 2 hours

Hello, im getting a security alert on a server runing windows server 2003, on the events viewer under security I have more than 6,000 failure audit type events this is the log information on the event, could you help me out to determine what is causing this and how can I fix it.


Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      user4
       Domain:            ATOM
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ATOM-1
       Caller User Name:      ATOM-1$
       Caller Domain:      ATOM
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      3124
       Transited Services:      -
       Source Network Address:      121.181.46.66
       Source Port:      2151
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      user4
       Domain:            ATOM
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ATOM-1
       Caller User Name:      ATOM-1$
       Caller Domain:      ATOM
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      3124
       Transited Services:      -
       Source Network Address:      121.181.46.66
       Source Port:      2151

Thanks in advanced
Diego_JaenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Make sure you have port 3389 closed on your firewall and also remove Integrated Windows and Basic Auth on your SMTP Virtual Server.

Also have a read of my blog:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

Looks like Korea are trying to hack you!!!!

IP Information - 121.181.46.66

IP address:                     121.181.46.66
Reverse DNS:                    [No reverse DNS entry per 46.181.121.in-addr.arpa.]
Reverse DNS authenticity:       [Unknown]
ASN:                            4766
ASN Name:                       KIXS-AS-KR (Korea Telecom)
IP range connectivity:          2
Registrar (per ASN):            APNIC
Country (per IP registrar):     KR [Korea-KR]
Country Currency:               KRW [Korea (South) Won]
Country IP Range:               121.128.0.0 to 121.191.255.255
Country fraud profile:          Normal
City (per outside source):      Seoul, Kyonggi-Do
Country (per outside source):   KR [Korea-KR]
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
Link for WHOIS:                 121.181.46.66
0
Diego_JaenAuthor Commented:
thanks alanhardisty, im looking into that right now, I did hower miss the first part of the log, dont know if provides some more info but here is the complete log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: Atom-1
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      user4
       Domain:            ATOM
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ATOM-1
       Caller User Name:      ATOM-1$
       Caller Domain:      ATOM
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      3124
       Transited Services:      -
       Source Network Address:      121.181.46.66
       Source Port:      2151

Thanks
0
Alan HardistyCo-OwnerCommented:
It's not desperately useful. It shows the external IP and internal process.  If you list your processes (and show the process ID), then you can narrow down the port being attacked, but if port 3389 is open, it will be attacked and you can stop people trying to hack in using pop3 username / passwords via your SMTP server.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Diego_JaenAuthor Commented:
hello,
Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in, any other ideas as to what I could do to stop this from happening?
Thanks in advanced
0
Alan HardistyCo-OwnerCommented:
With port 3389 open - no.

You could change the port internally for RDP and then use a different port on the firewall, but 3389 is a target for hackers, so as long as it is open - it will have people trying to hack into your server.

Have you considered an alternative method of remote control of the server?
0
Diego_JaenAuthor Commented:
hello,
Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in, any other ideas as to what I could do to stop this from happening?
Thanks in advanced
0
Alan HardistyCo-OwnerCommented:
Can you restrict port 3389 inbound from a specific IP address only, or a handful of specific IP Addresses - that would cut out the hacks?
0
Diego_JaenAuthor Commented:
I dont think that would work, because the range of IP addresses that I have found on the event log for this problems is very broad, not just the korean IP but from a whole lot of other countries
Thanks
0
Alan HardistyCo-OwnerCommented:
I'm talking about restricting port 3389 to only those IP Addresses that need to access your server remotely, e.g., the remote IP's of your IT staff who need access to the server only.

So you allow ONLY your staff's home IP addresses and any other locations that they might need to connect from.  That will block all other IP's from trying to hack your server.
0
Diego_JaenAuthor Commented:
Hello,
oh ok, yeah that sounds perfect, now how would I go about doing that, windows firewall is disabled on the server.
Thanks
0
Alan HardistyCo-OwnerCommented:
On your firewall / router.
0
Diego_JaenAuthor Commented:
hello,
is there a way to just block the port for everyone, on the server?
Thanks
0
Alan HardistyCo-OwnerCommented:
As per your earlier comment:

"Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in,"

If you do that - your server admin won't be able to access the server.
0
Diego_JaenAuthor Commented:
hello,
yes but I have spoken with the admin, and for now, we'll just have to make do without a backup access. so the desition has been made to just shut it down until we can have it configured on the firewall.
Many thanks
0
Alan HardistyCo-OwnerCommented:
Disable Access then on the Server by doing the opposite of the following article:

http://www.petri.co.il/enable_rdp_windows_2003.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Diego_JaenAuthor Commented:
port is closed and hopefully this will deal with the hack attempts
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.