From: Joe#2 on 6 Aug 2010 09:26 This apparently is a hack attempt, correct. I've had 1073 attempts to log in as administrator from what appears to be a site in italy. Here is one entry from the event log. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 8/3/2010 Time: 5:23:50 AM User: NT AUTHORITY\SYSTEM Computer: SAMSON Description: Logon Failure: Reason: Unknown user name or bad password User Name: admin Domain: SUNRAY Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: SAMSON Caller User Name: SAMSON$ Caller Domain: SUNRAY Caller Logon ID: (0x0,0x3E7) Caller Process ID: 10072 Transited Services: - Source Network Address: 79.14.254.179 Source Port: 2968 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
From: Joe#2 on 6 Aug 2010 09:43 I realize I should have deleted the domain info here. Modirator could you either x out that info of just delete the post. "Joe#2" wrote: > This apparently is a hack attempt, correct. I've had 1073 attempts to log in > as administrator from what appears to be a site in italy. Here is one entry > from the event log. > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 8/3/2010 > Time: 5:23:50 AM > User: NT AUTHORITY\SYSTEM > Computer: SAMSON > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: admin > Domain: SUNRAY > Logon Type: 10 > Logon Process: User32 > Authentication Package: Negotiate > Workstation Name: SAMSON > Caller User Name: SAMSON$ > Caller Domain: SUNRAY > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 10072 > Transited Services: - > Source Network Address: 79.14.254.179 > Source Port: 2968 > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. >
From: Jim on 6 Aug 2010 10:41 Errm...no moderators on nntp. Your posted is now archived in Google forever more.... At least it wasn't anything more than a domain name :-) On Fri, 6 Aug 2010 06:43:03 -0700, Joe#2 <Joe2(a)discussions.microsoft.com> wrote: >I realize I should have deleted the domain info here. Modirator could you >either x out that info of just delete the post. > >"Joe#2" wrote: > >> This apparently is a hack attempt, correct. I've had 1073 attempts to log in >> as administrator from what appears to be a site in italy. Here is one entry >> from the event log. >> >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Logon/Logoff >> Event ID: 529 >> Date: 8/3/2010 >> Time: 5:23:50 AM >> User: NT AUTHORITY\SYSTEM >> Computer: SAMSON >> Description: >> Logon Failure: >> Reason: Unknown user name or bad password >> User Name: admin >> Domain: SUNRAY >> Logon Type: 10 >> Logon Process: User32 >> Authentication Package: Negotiate >> Workstation Name: SAMSON >> Caller User Name: SAMSON$ >> Caller Domain: SUNRAY >> Caller Logon ID: (0x0,0x3E7) >> Caller Process ID: 10072 >> Transited Services: - >> Source Network Address: 79.14.254.179 >> Source Port: 2968 >> >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >>
From: Colin on 6 Aug 2010 14:23 Hi, Block that source IP address at your firewall, or better still, the entire subnet. Regards Colin. "Joe#2" wrote: > This apparently is a hack attempt, correct. I've had 1073 attempts to log in > as administrator from what appears to be a site in italy. Here is one entry > from the event log. > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 8/3/2010 > Time: 5:23:50 AM > User: NT AUTHORITY\SYSTEM > Computer: SAMSON > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: admin > Domain: SUNRAY > Logon Type: 10 > Logon Process: User32 > Authentication Package: Negotiate > Workstation Name: SAMSON > Caller User Name: SAMSON$ > Caller Domain: SUNRAY > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 10072 > Transited Services: - > Source Network Address: 79.14.254.179 > Source Port: 2968 > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. >
From: Joe#2 on 6 Aug 2010 22:19 Bummer on google. Oh sigh! Yes that port will be blocked tonight. Thanks for input. "Colin" wrote: > Hi, > > Block that source IP address at your firewall, or better still, the entire > subnet. > > Regards Colin. > > "Joe#2" wrote: > > > This apparently is a hack attempt, correct. I've had 1073 attempts to log in > > as administrator from what appears to be a site in italy. Here is one entry > > from the event log. > > > > Event Type: Failure Audit > > Event Source: Security > > Event Category: Logon/Logoff > > Event ID: 529 > > Date: 8/3/2010 > > Time: 5:23:50 AM > > User: NT AUTHORITY\SYSTEM > > Computer: SAMSON > > Description: > > Logon Failure: > > Reason: Unknown user name or bad password > > User Name: admin > > Domain: SUNRAY > > Logon Type: 10 > > Logon Process: User32 > > Authentication Package: Negotiate > > Workstation Name: SAMSON > > Caller User Name: SAMSON$ > > Caller Domain: SUNRAY > > Caller Logon ID: (0x0,0x3E7) > > Caller Process ID: 10072 > > Transited Services: - > > Source Network Address: 79.14.254.179 > > Source Port: 2968 > > > > > > For more information, see Help and Support Center at > > http://go.microsoft.com/fwlink/events.asp. > >
|
Pages: 1 Prev: Microsoft Exchange Server reported error 0x8004010F operation fail Next: How to diagnose? |