I've come across a couple of bits of information that lead me to believe my network may be under attack. The first is that I have a lot of entries in the security event log on a Windows 2000 server in the DMZ that indicate a failed logon due to an invalid password. They appear to be coming from a machine outside of our network but I can't confirm that. It appears to be a machine called SBS2K in a domain called MEN2K. The second thing is that there is an entry listed when I do a netstat -a on the server for a connection to microsoft-ds from a machine called SBS2K. I believe that microsoft-ds is the directory service.
The attempt is to log on to an account which our internal proxy server uses to authenticate to this machine in the DMZ.
Any thoughts?
The attempt is to log on to an account which our internal proxy server uses to authenticate to this machine in the DMZ.
Any thoughts?
