|
Posted by Christina Guida on September 26, 2007, 1:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
We've been getting ALOT
of event 529 and 680 like below recently on our Small Business Server
2003.
Logon Failure:
Reason: Unknown user name or bad password
User Name: demo
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SBSERVER
Caller User Name: SBSERVER$
Caller Domain: EMPROD
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2160
Transited Services: -
Source Network Address: -
Source Port: -
It seems someone is trying to hack in from the Internet, using some
software to guess at usernames and passwords. I'm wondering if anyone
can give me any ideas on how they're doing it and/or how to stop it.
I did a port scan from outside the network and it found 2 UDP ports
open--69 and 161 (They're for SNMP and TFTP, I think). Thing is, I
can't see where those ports are open in our firewall or on SBS. Also,
our firewall doesn't have logging. Rats. Anyone have any ideas? I'm
wondering what the username SBSERVER$ means--looks like a reference to
the server itself or its C drive...?
TIA
Christina Guida
| 
XML site map