RE: Hack signature in system log - some insights requestedFrom: Tulchinskiy, Sasha (STulchinskiy@aspensys.com)
- Previous message: Mark Parry: "Re: IIS LOG entry....."
- Maybe in reply to: dovmar: "Hack signature in system log - some insights requested"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <966D241E5D22D411A31900805F6FED6303CD8637@mailsvr1.aspensys.com> From: "Tulchinskiy, Sasha" <STulchinskiy@aspensys.com> To: "'firstname.lastname@example.org'" <email@example.com>, FOCUS-MS@securityfocus.com Subject: RE: Hack signature in system log - some insights requested Date: Mon, 23 Jul 2001 14:12:43 -0400
Why don't you try IIS logs? Enable "Client IP address" and "HTTP status" in
the IIS logging properties and watch for 401 - you'll get the attacking
I don't believe that any application has a reason to use "administrator" via
From: dovmar [mailto:firstname.lastname@example.org]
Sent: Friday, July 20, 2001 12:54 AM
Subject: Hack signature in system log - some insights requested
I have a bunch of entries like these in my system event file recorded over
the last couple of days. Some of them are in groups of several dozen, spaced
_exactly_ 5 minutes apart. ( I broke up the line for read-ability):
"7/19/01 7:26:21 PM
The server was unable to logon the Windows NT account 'administrator' due to
the following error: Logon failure: unknown user name or bad password. The
data is the error code."
I assume this is a brute force type of hack attack on the admin password,
but it occurs to me that it _might_ be some process that's trying to login
when we've recently changed the admin password? There are 2 of us that look
after servers, but I believe these started before our recent password
I'd like to know if there's some log that's recording these attempts with an
originating IP address - a la the way IIS logs activity. Failing that, could
you suggest a log method to try to trap the source?