Click here to get back home

hackers need answer quick
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
hackers need answer quick Sam Hodo 11-15-2006
Posted by Sam Hodo on November 15, 2006, 10:53 am
Please log in for more thread options
 Hello..
I was just checking the event logs and noticed that I have a lot of system
events

type date time source category
event user
warning today's date current time msftpsvc none 100
n/a

this started at 5:51 am and I am still seeing the event being logged.

The message reads

The server was unable to logon the Windows NT account 'news' due to the
following error: Logon failure: unknown user name or bad password. The data
is the error code.

The accounts that have been tried are
Administrator
Admin
Guest
Test
News

I figure tthis is a hacker, or a robot program tring to gain access to the
server..

Now my question
How do I stop this..
How do I keep it from happening again..
What should I do..


Thanks for your time...
Sammy



Posted by Danny Sanders on November 15, 2006, 1:12 pm
Please log in for more thread options
> following error: Logon failure: unknown user name or bad password.

Sounds like it was stopped.

Sounds like something is looking for access and is getting stopped.

If this is a bot knocking on doors, not sure you can stop it from knocking,
but you can stop it from entering.

hth
DDS

> Hello..
> I was just checking the event logs and noticed that I have a lot of
> system
> events
>
> type date time source category
> event user
> warning today's date current time msftpsvc none 100
> n/a
>
> this started at 5:51 am and I am still seeing the event being logged.
>
> The message reads
>
> The server was unable to logon the Windows NT account 'news' due to the
> following error: Logon failure: unknown user name or bad password. The
> data
> is the error code.
>
> The accounts that have been tried are
> Administrator
> Admin
> Guest
> Test
> News
>
> I figure tthis is a hacker, or a robot program tring to gain access to the
> server..
>
> Now my question
> How do I stop this..
> How do I keep it from happening again..
> What should I do..
>
>
> Thanks for your time...
> Sammy
>
>



Posted by karl levinson, mvp on November 17, 2006, 7:51 am
Please log in for more thread options


> If this is a bot knocking on doors, not sure you can stop it from
> knocking, but you can stop it from entering.

I agree. It is not really desirable or possible to prevent these attempts.
Most admins do not try. The main thing you can do is ensure all FTP
accounts have very good passwords, mainly that they are 8 characters or
longer.

If you know all of the IP address ranges of all of the computers that have
legitimate need to be connecting to your FTP server, you could use IPSec
rules or better yet firewall rules to allow only those IP addresses to
access FTP. (If you don't need to provide files via FTP, then you'd want to
disable FTP.)

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info



Posted by Roger Abell [MVP] on November 15, 2006, 7:16 pm
Please log in for more thread options
I use "rolling" IPsec filters, such as MarchRogues, AprilRogues, etc.
and put their IPs into the current Deny filter. This does not do much
good for pests that frequently change their (DHCP?) IP, but it does
seem to dissuade quite a bit. Periodically I let a group of IPs out of
banishment by unchecking their filter.

Roger

> Hello..
> I was just checking the event logs and noticed that I have a lot of
> system
> events
>
> type date time source category
> event user
> warning today's date current time msftpsvc none 100
> n/a
>
> this started at 5:51 am and I am still seeing the event being logged.
>
> The message reads
>
> The server was unable to logon the Windows NT account 'news' due to the
> following error: Logon failure: unknown user name or bad password. The
> data
> is the error code.
>
> The accounts that have been tried are
> Administrator
> Admin
> Guest
> Test
> News
>
> I figure tthis is a hacker, or a robot program tring to gain access to the
> server..
>
> Now my question
> How do I stop this..
> How do I keep it from happening again..
> What should I do..
>
>
> Thanks for your time...
> Sammy
>
>



Similar ThreadsPosted
Quick Software Audit March 1, 2006, 6:02 am
Security Failure Audits - hackers? March 16, 2006, 5:28 am
Secure your Oracle database from hackers April 15, 2008, 1:47 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap