Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Logon failure: Hacker attack? 2

Status
Not open for further replies.
saida

saida

Technical User
Jan 11, 2005
23
0
0
AL
Hi, I'm getting this event 4183 on application log generated by MSExchangeIMC:

Authentication attempt (AUTH LOGIN) from 211.158.68.216 as \asdf (or 4444444, or 333333, etc) failed: LogonUser() call failed with error: Logon failure: unknown user name or bad password.

It looks like this IP had tried for more than two hundred times yesterday to log on. Can someone suggest me what should I do with this? I feel unprotected.
 
Sort by date Sort by votes
Hi I get;

Authentication attempt (AUTH LOGIN) from 211.158.32.68 as N/A\webmaster failed: LogonUser() call failed with error: Logon failure: unknown user name or bad password. Also from 211.158.71.45 and a few other IP's.

Usually late at night or at the weekend. I've checked out the machines at these addresses and believe they are nothing but zombie machines but have reported them anyway.

Basically, some one is trying to Hack into your network using the remote access services using an automated hacking tool.

Do your use RAS? If not don't worry, if you do then;

Think about your user names are they easy to guess? Like Frank, sally sue if so consider changing them to Frank.Jones or FJones or something.

Passwords. Make sure all your users that use RAS have strong passwords NOT MARCH01, MARCH05 or Frank001 and make sure you make them change your password.

Users. If its the same guy I doubt it but it will probably be the same sort of attack. Make sure your Admin level accounts are NOT admin, webmaster, support etc if they are consider changing them (remember to make a note of any services being used.).

PATCH PATCH PATCH. Run the MS Security analyser and make sure you are tight on any external facing machine.

Apart from that there really isn't anything pro-active that you can do, I currently have my firewalls just completely ignore any traffic from these address no response no nothing the packets are just dropped.

Iain
 
Upvote 0 Downvote
Thank you Iain,
I don't use RAS, but I'll make some changes anyhow. Just reconfigured the firewall and I'm running the Security Analyser. Very helpful, thank you.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Satishkumar007
  • Locked
  • Question
Help needed to recover after complete site failure
Replies
0
Views
558
Satishkumar007
Satishkumar007
markymayhem2
  • Locked
  • Question
Exchange 2007 not working after RAID 5 failure / recovery on sbs 2008 - bad checksum...
Replies
1
Views
53
markymayhem2
markymayhem2
disturbedone
  • Locked
  • Question
Customisation of logon.aspx and disclaimer.inc
Replies
1
Views
28
disturbedone
disturbedone
dkel22
  • Locked
  • Question
Lync Powershell - Logon Failed
Replies
1
Views
20
58sniper
58sniper
juniper911
  • Locked
  • Question
Logon failures.
Replies
0
Views
9
juniper911
juniper911

Part and Inventory Search

Sponsor

Back
Top