Capturing hack/login attempts

From: tech_ed (tech_ed_at_yahoo.com)
Date: 08/28/04 

Date: Fri, 27 Aug 2004 23:50:11 -0400

Greets.
I manage a bunch of IIS servers and am seeing quite a bit of traffic
relating to attempts to gain access to my machines.
The information I see is in the event logs.
In the security logs, I see:
Source: Security
Category: Account Logon
Event ID: 681
The logon to account: pubah
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: IIS0459A
 failed. The error code was: 3221225572

Then the next log says:
Source: Security
Category: login/logoff
Event ID: 529
Logon Failure:
         Reason: Unknown user name or bad password
         User Name: pubah
         Domain: <the server's name>
         Logon Type: 2
         Logon Process: IIS
         Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
         Workstation Name: <the same server name>

Then there is a corestponding log in the system log:
Source: w3scv
Category: None
Event ID: 100
The server was unable to logon the Windows NT account 'pubah' due to the
following error: Logon failure: unknown user name or bad password. The
data is the error code.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.

I am getting these by the hundreds every 5 minutes.
It seems to be a dictionary attack.
What I would like to know if there is some kind of sniffer I can use to
capture these attacks and if so, what should I be capturing and what
trigger should I be monitoring?
Any advice would be appreciated.
Ed
web/gadget guru

Relevant Pages

  • Account Lockout
    ... My account has been locked out. ... Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ... Source Workstation: NET-ADMIN ... Error Code: 0xC000006A ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Question about log entries
    ... >Looks like an automated tool to me, given that each logon ... A friend had these entries show up in his IIS server ... was unable to logon the Windows NT account 'account' due ... The data is the error code. ...
    (microsoft.public.inetserver.iis.security)
  • Re: pls help
    ... The logon to account: ibm ... from workstation: ASYLUM ... The error code was: 3221225572 ...
    (microsoft.public.win2000.security)
  • RE: help determining source of logon failure audits
    ... authenticating against an account. ... Logon events is logging onto the computer. ... Error Code: 0xC000006A ...
    (microsoft.public.windowsxp.security_admin)
  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)