Logon Attempt Stopped - Hack ? Intruder?
- From: "Paul Proefrock" <proefrock@xxxxxxxxxxxxx>
- Date: Fri, 26 May 2006 16:06:02 -0500
We had a recent entry in our Security Log, showing someone had tried to log on remotely with a user name not in our system. The log said they tried repeated passwords. The user name they attempted was "webmaster". It looks as if they tried entry about 15 times in a 3 minute span, then again about 8 times, two hours later. I don't see any further attempts or signs of entry.
This smells fishy to me and I am curious if I should take any additional steps to maintain our security. We do not use a domain name but a IP address for our box so someone would have to know the address to hit it. We have locked down all ports except those necessary for our VPN and RWW/Remote Access. Our passwords are the secure type but we don't change them regularly. There are five users on the system and no one has left the company that would point at a disgruntled ex-employee.
Should I be doing anything else? Our SBS2003 SP1 box sits behind a Linksys router with 2 NIC cards. Typical 192.168.1.1 outside addresses, 192.168.16.xxx inside addresses. The passwords into the router and server are 9 character alpha/numeric/symbol so are relatively secure.
This is the info from the Event ID (529) Info:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: OUTER
Caller User Name: OUTER$
Caller Domain: HRTLND
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 816
Transited Services: -
Source Network Address: -
Source Port: -
Suggestions or should I be concerned?
Thanks
Paul P
- Prev by Date: Re: Can't enable Certificate Template???
- Next by Date: Child Pornographers to be Tracked by Financial Transactions
- Previous by thread: Can't enable Certificate Template???
- Next by thread: Child Pornographers to be Tracked by Financial Transactions
- Index(es):
Relevant Pages
|
|
