I need help with what certainly appears to be a hacking attempt on a Windows 2003 SBS. The event viewer shows 750 failed logons over a period of approximately a minute and a half. All the User Names are different but other than that they are identical. Here's a copy of one of the event viewer security log entries:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/20/2006
Time: 12:49:13 PM
User: NT AUTHORITY\SYSTEM
Computer: SBSSERVERNAME
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: claudia
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SBSSERVERNAME
Caller User Name: SBSSERVERNAME$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2084
Transited Services: -
Source Network Address: -
Source Port: -
I have changed the server name and domain name for the obvious reasons. I am way over my head on this. Can anyone point me in the right direction? Does the logon process, the authentication package, the caller logon id or caller process id help to identify how or where they were attempting to get in? I can't find any log file entries that coincide with the time of the attack. Ideally I would like to identify the IP address of the originator. Any assistance would be greatly appreciated.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/20/2006
Time: 12:49:13 PM
User: NT AUTHORITY\SYSTEM
Computer: SBSSERVERNAME
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: claudia
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SBSSERVERNAME
Caller User Name: SBSSERVERNAME$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2084
Transited Services: -
Source Network Address: -
Source Port: -
I have changed the server name and domain name for the obvious reasons. I am way over my head on this. Can anyone point me in the right direction? Does the logon process, the authentication package, the caller logon id or caller process id help to identify how or where they were attempting to get in? I can't find any log file entries that coincide with the time of the attack. Ideally I would like to identify the IP address of the originator. Any assistance would be greatly appreciated.