Solved

Security Audit Failure

Posted on 2013-10-24
1
456 Views
Last Modified: 2013-11-14
Hey guys,

got a client who's getting a lot of these. I've never had to deal with these before. There seems to be two audits which keep failing over and over. I'm more concerned with the first one. Am I right in saying that it looks like someone's trying to hack the system? And if so, is there something I can do?

It's an SBS 2008 box.

Actually, now that I think about it. the second error is from a laptop which is on the network but isn't connected to the domain. he connects his Outlook to exchange.

Thanks

-----------------
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            SERVER$
      Account Domain:            DOMAIN
      Logon ID:            0x3e7

Logon Type:                  10

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            administrator
      Account Domain:            SERVER

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x2ec4
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      SERVER
      Source Network Address:      221.204.230.57
      Source Port:            2244

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

-----------------
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            RICHARD
      Account Domain:            RICHARD-PC

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      RICHARD-PC
      Source Network Address:      192.168.0.42
      Source Port:            54667

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
Comment
Question by:Talds_Alouds
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 43

Accepted Solution

by:
Davis McCarn earned 500 total points
ID: 39600090
221.204.230.57 is owned by China Telecom and; almost without a doubt, someone is trying to hack into your server.  If you want to start doing something about it get Tweaking.com's Block Ip tool ( http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html ) and IPNetInfo ( http://www.nirsoft.net/utils/ipnetinfo.html ).  When you get a rash of the failed logins; use the Block IP tool to stop them, IPNetInfo to find the entire range, and learn how to edit the blocked ip's so they cover the entire range.  It will take some time; but, you'll soon have most of the hackers blocked.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question