Attempted Logon Events on Win2k Servers

From: AC (spam@nospam.com.invalid)
Date: 10/19/02


From: AC <spam@nospam.com.invalid>
Date: Sat, 19 Oct 2002 16:39:43 GMT

I have got hundreds of entries like this in my Security event logs on the
Win2k servers on my network:

Event ID: 681
The logon to account: root
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: USER-7XD6KSPRG9
 failed. The error code was: 3221225572

Event ID: 529
Logon Failure:
         Reason: Unknown user name or bad password
         User Name: administrator
         Domain: USER-7XD6KSPRG9
         Logon Type: 3
         Logon Process: NtLmSsp
         Authentication Package: NTLM
         Workstation Name: USER-7XD6KSPRG9

I have a very small network, so I know for a fact that there is no
workstation "USER-7XD6KSPRG9", and can only assume that the attacks are
coming from the outside. I have scanned the IIS logs and found no evidence
of such attempts. We have a Cisco router, and I've blocked all of the
following ports:

access-list 101 deny tcp any any eq 137
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 138
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq echo
access-list 101 deny udp any any eq echo
access-list 101 deny tcp any any eq discard
access-list 101 deny udp any any eq discard
access-list 101 deny tcp any any eq 11
access-list 101 deny udp any any eq 11
access-list 101 deny tcp any any eq daytime
access-list 101 deny tcp any any eq 15
access-list 101 deny tcp any any eq chargen
access-list 101 deny udp any any eq 19
access-list 101 deny tcp any any eq finger
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135

What am I missing? What other ports should I block on the router? How can
I determine who is attempting to break in?

-- 
AC



Relevant Pages

  • Re: Attempted Logon Events on Win2k Servers
    ... make sure you have your firewall logs and send ... > access-list 101 deny tcp any any eq 137 ... > access-list 101 deny udp any any eq netbios-ns ... > access-list 101 deny udp any any eq netbios-dgm ...
    (microsoft.public.win2000.security)
  • Attempted Logon Events on Win2k Servers
    ... The logon to account: root ... I have a very small network, so I know for a fact that there is no ... access-list 101 deny tcp any any eq 137 ... access-list 101 deny udp any any eq netbios-dgm ...
    (microsoft.public.win2000.security)
  • Re: Office V.x serial numbers - moving, changing, reading
    ... is there any way to somehow read from an installed copy of Office which ... sudo ipfw add 02222 deny udp from any to any ... sudo ipfw add 02222 deny tcp from any to any ...
    (microsoft.public.mac.office)
  • Re: IOS exploit: please disclose vehicle, not mechanism
    ... >means that DNS requests get blocked, ... >workaround available. ... access-list 101 deny udp any any eq domain ... access-list 101 deny tcp any any eq domain ...
    (comp.security.firewalls)