Hack signature in system log - some insights requested

From: dovmar (dovmar@starpower.net)
Date: 07/20/01


From: "dovmar" <dovmar@starpower.net>
To: <FOCUS-MS@securityfocus.com>
Subject: Hack signature in system log - some insights requested
Date: Fri, 20 Jul 2001 00:53:30 -0400
Message-ID: <NEBBJAILALHBJPGFGKEPGEGCCDAA.dovmar@starpower.net>

Hi all,

I have a bunch of entries like these in my system event file recorded over
the last couple of days. Some of them are in groups of several dozen, spaced
_exactly_ 5 minutes apart. ( I broke up the line for read-ability):

"7/19/01 7:26:21 PM
W3SVC Warning
None
100
N/A
SERVERNAME HERE
The server was unable to logon the Windows NT account 'administrator' due to
the following error: Logon failure: unknown user name or bad password. The
data is the error code."

I assume this is a brute force type of hack attack on the admin password,
but it occurs to me that it _might_ be some process that's trying to login
when we've recently changed the admin password? There are 2 of us that look
after servers, but I believe these started before our recent password
changes.

I'd like to know if there's some log that's recording these attempts with an
originating IP address - a la the way IIS logs activity. Failing that, could
you suggest a log method to try to trap the source?

Thanks