Attempted Logon Events on Win2k Servers

From: AC (spam@nospam.com.invalid)
Date: 10/19/02


From: AC <spam@nospam.com.invalid>
Date: Sat, 19 Oct 2002 16:39:43 GMT

I have got hundreds of entries like this in my Security event logs on the
Win2k servers on my network:

Event ID: 681
The logon to account: root
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: USER-7XD6KSPRG9
 failed. The error code was: 3221225572

Event ID: 529
Logon Failure:
         Reason: Unknown user name or bad password
         User Name: administrator
         Domain: USER-7XD6KSPRG9
         Logon Type: 3
         Logon Process: NtLmSsp
         Authentication Package: NTLM
         Workstation Name: USER-7XD6KSPRG9

I have a very small network, so I know for a fact that there is no
workstation "USER-7XD6KSPRG9", and can only assume that the attacks are
coming from the outside. I have scanned the IIS logs and found no evidence
of such attempts. We have a Cisco router, and I've blocked all of the
following ports:

access-list 101 deny tcp any any eq 137
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 138
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq echo
access-list 101 deny udp any any eq echo
access-list 101 deny tcp any any eq discard
access-list 101 deny udp any any eq discard
access-list 101 deny tcp any any eq 11
access-list 101 deny udp any any eq 11
access-list 101 deny tcp any any eq daytime
access-list 101 deny tcp any any eq 15
access-list 101 deny tcp any any eq chargen
access-list 101 deny udp any any eq 19
access-list 101 deny tcp any any eq finger
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135

What am I missing? What other ports should I block on the router? How can
I determine who is attempting to break in?

-- 
AC