S
Steve
Hi,
Lately, we're getting a flurry of Failure Audit events in our Security log
on our Win2K web server.
Examples:
Logon Failure:
Reason: Unknown user name or bad password
User Name: leecht
Domain: IPDAEW0061MIA
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: IPDAEW0061MIA
EVENT # 9005
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Account Logon
EVENT ID 681
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME IPDAEW0061MIA
TIME 12/19/2003 11:34:21 AM
MESSAGE The logon to account: anyone
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IPDAEW0061MIA
failed. The error code was: 3221225572
EVENT # 10043
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Account Logon
EVENT ID 681
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME IPDAEW0061MIA
TIME 12/19/2003 11:38:35 AM
MESSAGE The logon to account: pwrchute
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IPDAEW0061MIA
failed. The error code was: 3221225572
We don't have accounts pwrchute or leecht and I'm basically the only person
with access to the server (outside of a network administrator at the hosting
site).
1) Are these hacker attempts (they seem to be because there are a ton of
them all of a sudden)?
2) Is there any way to block these attempts (we have a hardware firewall
supposedly)?
3) Is it possible to tell what method they're using to try and access our
server (e.g., terminal services? FTP? other?)
Thanks!
Steve
Lately, we're getting a flurry of Failure Audit events in our Security log
on our Win2K web server.
Examples:
Logon Failure:
Reason: Unknown user name or bad password
User Name: leecht
Domain: IPDAEW0061MIA
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: IPDAEW0061MIA
EVENT # 9005
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Account Logon
EVENT ID 681
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME IPDAEW0061MIA
TIME 12/19/2003 11:34:21 AM
MESSAGE The logon to account: anyone
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IPDAEW0061MIA
failed. The error code was: 3221225572
EVENT # 10043
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Account Logon
EVENT ID 681
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME IPDAEW0061MIA
TIME 12/19/2003 11:38:35 AM
MESSAGE The logon to account: pwrchute
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IPDAEW0061MIA
failed. The error code was: 3221225572
We don't have accounts pwrchute or leecht and I'm basically the only person
with access to the server (outside of a network administrator at the hosting
site).
1) Are these hacker attempts (they seem to be because there are a ton of
them all of a sudden)?
2) Is there any way to block these attempts (we have a hardware firewall
supposedly)?
3) Is it possible to tell what method they're using to try and access our
server (e.g., terminal services? FTP? other?)
Thanks!
Steve