Re: Hack signature in system log - some insights requested

From: Jonathan (jon_list@driftwood.net)
Date: 07/23/01 

Message-Id: <5.1.0.14.2.20010723121750.021d9670@mail.driftwood.net>
Date: Mon, 23 Jul 2001 12:18:41 -0500
To: <dovmar@starpower.net>, <FOCUS-MS@securityfocus.com>
From: Jonathan <jon_list@driftwood.net>
Subject: Re: Hack signature in system log - some insights requested

do you have auditing turned on? if you turn on security auditing you
should be able to get some more meaningful info in the security log.

At 12:53 AM 7/20/01 -0400, dovmar wrote:
>Hi all,
>
>I have a bunch of entries like these in my system event file recorded over
>the last couple of days. Some of them are in groups of several dozen, spaced
>_exactly_ 5 minutes apart. ( I broke up the line for read-ability):
>
>"7/19/01 7:26:21 PM
>W3SVC Warning
>None
>100
>N/A
>SERVERNAME HERE
>The server was unable to logon the Windows NT account 'administrator' due to
>the following error: Logon failure: unknown user name or bad password. The
>data is the error code."
>
>I assume this is a brute force type of hack attack on the admin password,
>but it occurs to me that it _might_ be some process that's trying to login
>when we've recently changed the admin password? There are 2 of us that look
>after servers, but I believe these started before our recent password
>changes.
>
>I'd like to know if there's some log that's recording these attempts with an
>originating IP address - a la the way IIS logs activity. Failing that, could
>you suggest a log method to try to trap the source?
>
>Thanks

Relevant Pages