Diego_Jaen
asked on
login failure event more than 6000 times in 2 hours
Hello, im getting a security alert on a server runing windows server 2003, on the events viewer under security I have more than 6,000 failure audit type events this is the log information on the event, could you help me out to determine what is causing this and how can I fix it.
Logon Failure:
Reason: Unknown user name or bad password
User Name: user4
Domain: ATOM
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ATOM-1
Caller User Name: ATOM-1$
Caller Domain: ATOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3124
Transited Services: -
Source Network Address: 121.181.46.66
Source Port: 2151
Logon Failure:
Reason: Unknown user name or bad password
User Name: user4
Domain: ATOM
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ATOM-1
Caller User Name: ATOM-1$
Caller Domain: ATOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3124
Transited Services: -
Source Network Address: 121.181.46.66
Source Port: 2151
Thanks in advanced
Logon Failure:
Reason: Unknown user name or bad password
User Name: user4
Domain: ATOM
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ATOM-1
Caller User Name: ATOM-1$
Caller Domain: ATOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3124
Transited Services: -
Source Network Address: 121.181.46.66
Source Port: 2151
Logon Failure:
Reason: Unknown user name or bad password
User Name: user4
Domain: ATOM
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ATOM-1
Caller User Name: ATOM-1$
Caller Domain: ATOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3124
Transited Services: -
Source Network Address: 121.181.46.66
Source Port: 2151
Thanks in advanced
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hello,
Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in, any other ideas as to what I could do to stop this from happening?
Thanks in advanced
Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in, any other ideas as to what I could do to stop this from happening?
Thanks in advanced
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hello,
Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in, any other ideas as to what I could do to stop this from happening?
Thanks in advanced
Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in, any other ideas as to what I could do to stop this from happening?
Thanks in advanced
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I dont think that would work, because the range of IP addresses that I have found on the event log for this problems is very broad, not just the korean IP but from a whole lot of other countries
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
oh ok, yeah that sounds perfect, now how would I go about doing that, windows firewall is disabled on the server.
Thanks
oh ok, yeah that sounds perfect, now how would I go about doing that, windows firewall is disabled on the server.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hello,
is there a way to just block the port for everyone, on the server?
Thanks
is there a way to just block the port for everyone, on the server?
Thanks
As per your earlier comment:
"Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in,"
If you do that - your server admin won't be able to access the server.
"Thanks for the recomendation, unfurtunately I cant close port 3389, because it is used by the server admin to do remote log in,"
If you do that - your server admin won't be able to access the server.
ASKER
hello,
yes but I have spoken with the admin, and for now, we'll just have to make do without a backup access. so the desition has been made to just shut it down until we can have it configured on the firewall.
Many thanks
yes but I have spoken with the admin, and for now, we'll just have to make do without a backup access. so the desition has been made to just shut it down until we can have it configured on the firewall.
Many thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
port is closed and hopefully this will deal with the hack attempts
ASKER
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: Atom-1
Logon Failure:
Reason: Unknown user name or bad password
User Name: user4
Domain: ATOM
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ATOM-1
Caller User Name: ATOM-1$
Caller Domain: ATOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3124
Transited Services: -
Source Network Address: 121.181.46.66
Source Port: 2151
Thanks