Re: Hack signature in system log - some insights requested
From: H C (keydet89@yahoo.com)Date: 07/23/01
- Previous message: Jonathan: "Re: Hack signature in system log - some insights requested"
- In reply to: dovmar: "Hack signature in system log - some insights requested"
- Next in thread: Tulchinskiy, Sasha: "RE: Hack signature in system log - some insights requested"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20010723211220.43805.qmail@web14609.mail.yahoo.com> Date: Mon, 23 Jul 2001 14:12:20 -0700 (PDT) From: H C <keydet89@yahoo.com> Subject: Re: Hack signature in system log - some insights requested To: dovmar@starpower.net, FOCUS-MS@securityfocus.com
DovMar,
A couple of questions:
1. You said you think that this started before you
had a password change on the system. What account is
the W3SVC service running under?
2. Were you able to correspond any of the IIS log
files entries to the activity you saw in your System
EventLog? If so, what was that activity?
3. How is your system configured that logon failures
appear in the System EventLog? Usually, they appear
in the Security EventLog.
Hopefully, in looking at these questions, perhaps
something helpful may occur.
--- dovmar <dovmar@starpower.net> wrote:
> Hi all,
>
> I have a bunch of entries like these in my system
> event file recorded over
> the last couple of days. Some of them are in groups
> of several dozen, spaced
> _exactly_ 5 minutes apart. ( I broke up the line for
> read-ability):
>
> "7/19/01 7:26:21 PM
> W3SVC Warning
> None
> 100
> N/A
> SERVERNAME HERE
> The server was unable to logon the Windows NT
> account 'administrator' due to
> the following error: Logon failure: unknown user
> name or bad password. The
> data is the error code."
>
> I assume this is a brute force type of hack attack
> on the admin password,
> but it occurs to me that it _might_ be some process
> that's trying to login
> when we've recently changed the admin password?
> There are 2 of us that look
> after servers, but I believe these started before
> our recent password
> changes.
>
> I'd like to know if there's some log that's
> recording these attempts with an
> originating IP address - a la the way IIS logs
> activity. Failing that, could
> you suggest a log method to try to trap the source?
>
> Thanks
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
- Previous message: Jonathan: "Re: Hack signature in system log - some insights requested"
- In reply to: dovmar: "Hack signature in system log - some insights requested"
- Next in thread: Tulchinskiy, Sasha: "RE: Hack signature in system log - some insights requested"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
