W3SVC event ID 100 dictionary attack?!
From: Liam Curtis (lacurtis_at_optonline.net)
Date: 09/19/03
- Next message: Shelly: "security of web server"
- Previous message: Jerry III: "SSL Certificates in IIS 6.0"
- Next in thread: Bernard: "Re: W3SVC event ID 100 dictionary attack?!"
- Reply: Bernard: "Re: W3SVC event ID 100 dictionary attack?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Sep 2003 14:09:54 -0400
Hello All,
Just doing a casual check on our win2ksvr, sp4 webserver running IIS5 and
noticed hundreds of these:
Source is W3SVC, event ID is 100: "The server was unable to logon the
Windows NT account 'XXXX' due to the following error: Logon failure: unknown
user name or bad password. The data is the error code. "
Only the XXXX is a different random name in alphabetical order on each
event. The problem is, I have no idea what tool the attacker is using. We
were hacked a month or so back and have since locked down the server...no
Frontpage Extensions, URLScan, etc.
We are behind a firewall on an SSN, as well. The only thing we let thru are
80 and 443. I have seen no 404s or correlations in the IISLOGS.
Any ideas? Thanks in advance!
- Next message: Shelly: "security of web server"
- Previous message: Jerry III: "SSL Certificates in IIS 6.0"
- Next in thread: Bernard: "Re: W3SVC event ID 100 dictionary attack?!"
- Reply: Bernard: "Re: W3SVC event ID 100 dictionary attack?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
