Large DBAccess.log on SBS 2003, Hack Attempts?

Earlier this week we started having some issues with our older Windows server and I realized that the C drive was 100% full.  I did some investigating and found that the culprit had been a DBAccess.log file that increased to over 7 GB in size.  I deleted the file (Windows quickly made a new one) and the server started behaving again.

This is the first time this has happened on this server, so I started going through the DBAccess.log file to see what was going on and I am getting a hundred or so of these every day:

******* Error occured in Executing the following: *******
EXEC add_event N'2015-10-30 07:40:42', N'Security', N'Audit Failure', N'5', N'529', N'Security', N'Logon Failure:

      Reason:            Unknown user name or bad password

      User Name:      Facilities

      Domain:            OUR_DOMAIN

      Logon Type:      10

      Logon Process:      User32  

      Authentication Package:      Negotiate

      Workstation Name:      OUR_SERVER

      Caller User Name:      OUR_SERVER$

      Caller Domain:      OUR_DOMAIN

      Caller Logon ID:      (0x0,0x3E7)

      Caller Process ID:      11632

      Transited Services:      -

      Source Network Address:      103.237.145.7

      Source Port:      59540

'
Error Description: Connection failure
Error Number: -2147467259
Native Error Number: 0
Source: Microsoft OLE DB Provider for SQL Server
SQL State: 08S01

They are not always the same, the source port, username, source network address, etc. change, but the "Unknown user name or bad password" is always the error.

Looks like hack attempts to me.  My question is, what are they trying to hack (Sharepoint maybe?), and how do I block them on the firewall so they can't even attempt it?

Any help would be appreciated.
beigsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Does looks like hack or brute force force attempt with process user32, like an account failed to logon hence the 529 event id. Furthermore, the logon type is from remote based on the reported no type 10. Rhe connection to db failed and it comes to a point the writ ung if such event via the add_event failed due to file size..

Will be good to close off any remote service and firewall to drop the 3388 attempt and allow only the whitelisted IP machine to connect to it. Observe for any recurrences and scope down to those machine to check further who is using those and during that period of activities logged.

There is past event 529 related patch required for such logoff audit generated when local user logoff. https://support.microsoft.com/en-us/kb/811082

Nonetheless, suspect maybe also either services or workstation based on ip are attempting connection to the database too using an user account

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Davis McCarnOwnerCommented:
Unless you are located in Vietnam or have users in that country, someone is trying to hack in from there.  What I did several years ago was to get a copy of Tweaking.com's Remote Desktop IP Monitor & Blocker, install it, and then started using it to block ip's.  A little bit of studying then let me edit those blocks to include the entire range of addresses owned by the offending one.  I now have most of SouthEast Asia, parts of Europe, South America, and Africa blocked and the attempts have subsided to a rare occurrence.
http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html
Tool to get WHOIS info on IP's:
http://www.nirsoft.net/utils/ipnetinfo.html
btanExec ConsultantCommented:
indeed and for that reverse ip leading to below seems like strange esp if you do not have any dealing with them. Also do not expose your database to the internet and check on firewall logs for any persistent event logged - it does not seems right
1      gialonghousing.com
2      nhadatmienbac.com
3      sudico.com
4      kt13.net
5      mail.sieuthiblackberry.com
6      *.sudico.com
7      hanoirealestate.com.vn
8      hoanghuy.com.vn
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.