Earlier this week we started having some issues with our older Windows server and I realized that the C drive was 100% full. I did some investigating and found that the culprit had been a DBAccess.log file that increased to over 7 GB in size. I deleted the file (Windows quickly made a new one) and the server started behaving again.
This is the first time this has happened on this server, so I started going through the DBAccess.log file to see what was going on and I am getting a hundred or so of these every day:
******* Error occured in Executing the following: *******
EXEC add_event N'2015-10-30 07:40:42', N'Security', N'Audit Failure', N'5', N'529', N'Security', N'Logon Failure:
Reason: Unknown user name or bad password
User Name: Facilities
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: OUR_SERVER
Caller User Name: OUR_SERVER$
Caller Domain: OUR_DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 11632
Transited Services: -
Source Network Address: 18.104.22.168
Source Port: 59540
Error Description: Connection failure
Error Number: -2147467259
Native Error Number: 0
Source: Microsoft OLE DB Provider for SQL Server
SQL State: 08S01
They are not always the same, the source port, username, source network address, etc. change, but the "Unknown user name or bad password" is always the error.
Looks like hack attempts to me. My question is, what are they trying to hack (Sharepoint maybe?), and how do I block them on the firewall so they can't even attempt it?
Any help would be appreciated.