RE: Hack signature in system log - some insights requested

From: Tulchinskiy, Sasha (
Date: 07/23/01

Message-ID: <>
From: "Tulchinskiy, Sasha" <>
To: "''" <>,
Subject: RE: Hack signature in system log - some insights requested
Date: Mon, 23 Jul 2001 14:12:43 -0400

Why don't you try IIS logs? Enable "Client IP address" and "HTTP status" in
the IIS logging properties and watch for 401 - you'll get the attacking
source IP.

I don't believe that any application has a reason to use "administrator" via


-----Original Message-----
From: dovmar []
Sent: Friday, July 20, 2001 12:54 AM
Subject: Hack signature in system log - some insights requested

Hi all,

I have a bunch of entries like these in my system event file recorded over
the last couple of days. Some of them are in groups of several dozen, spaced
_exactly_ 5 minutes apart. ( I broke up the line for read-ability):

"7/19/01 7:26:21 PM
W3SVC Warning
The server was unable to logon the Windows NT account 'administrator' due to
the following error: Logon failure: unknown user name or bad password. The
data is the error code."

I assume this is a brute force type of hack attack on the admin password,
but it occurs to me that it _might_ be some process that's trying to login
when we've recently changed the admin password? There are 2 of us that look
after servers, but I believe these started before our recent password

I'd like to know if there's some log that's recording these attempts with an
originating IP address - a la the way IIS logs activity. Failing that, could
you suggest a log method to try to trap the source?