Event Log: Failed Audit

Tom · 15-10-2006

Win2K3 SP1 SBS

I am seeing several (!) Failed Audits in my Security Event Log. Most of
them look like this:
Logon failure:
Reason: Unknown user name or bad password
Username: Administrator
Domain: MyIntranetDomainName
Logon Type: 8
Logon Process: IIS
Authentication Package: Microsoft Authentication Package v1.0
Workstation Name: MyServerWorkstation
Caller Username: MyServerWorkstation$ [Note: $ at the end]
Caller Domain: MyIntranetDomainName
Caller LogonID: (0x0, 0x3E7)
Caller ProcessID: 1276
Transited Services: -
Source Network address: -
Source Port -

Can someone explain what this means? If we're receiving attempts to access
our system what counter measures should we take? We are up to date on ALL
(including THE most recent) MS updates and we have a very long complex
password.
TIA

Dave Patrick · 15-10-2006

These articles may help.

http://support.microsoft.com/default...b;en-us;287537
http://support.microsoft.com/default...b;en-us;326985

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Tom" wrote:
| Win2K3 SP1 SBS
|
| I am seeing several (!) Failed Audits in my Security Event Log. Most of
| them look like this:
| Logon failure:
| Reason: Unknown user name or bad password
| Username: Administrator
| Domain: MyIntranetDomainName
| Logon Type: 8
| Logon Process: IIS
| Authentication Package: Microsoft Authentication Package v1.0
| Workstation Name: MyServerWorkstation
| Caller Username: MyServerWorkstation$ [Note: $ at the end]
| Caller Domain: MyIntranetDomainName
| Caller LogonID: (0x0, 0x3E7)
| Caller ProcessID: 1276
| Transited Services: -
| Source Network address: -
| Source Port -
|
| Can someone explain what this means? If we're receiving attempts to
access
| our system what counter measures should we take? We are up to date on ALL
| (including THE most recent) MS updates and we have a very long complex
| password.
| TIA

Kevin D. Goodknecht Sr. [MVP] · 16-10-2006

Tom wrote:
> Win2K3 SP1 SBS
>
> I am seeing several (!) Failed Audits in my Security Event Log. Most
> of them look like this:
> Logon failure:
> Reason: Unknown user name or bad password
> Username: Administrator
> Domain: MyIntranetDomainName
> Logon Type: 8
> Logon Process: IIS
> Authentication Package: Microsoft Authentication Package v1.0
> Workstation Name: MyServerWorkstation
> Caller Username: MyServerWorkstation$ [Note: $ at the end]
> Caller Domain: MyIntranetDomainName
> Caller LogonID: (0x0, 0x3E7)
> Caller ProcessID: 1276
> Transited Services: -
> Source Network address: -
> Source Port -
>
> Can someone explain what this means? If we're receiving attempts to
> access our system what counter measures should we take? We are up to
> date on ALL (including THE most recent) MS updates and we have a very
> long complex password.
> TIA

This is likely someone trying to gain access to the FTP server by trying to
guess the username password, in this case it is the Built in Administrator.
A check of the FTP server's logfiles will verify this.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

mrecomm101 · 09-01-2007

Kevin,

I am experiencing the same issue. To troubleshoot, I stopped every website
and every FTP site within my IIS (6.0) -- and I'm still getting the failed
logon attempts. How can they be acheiving this when all sites are stopped,
including AppPools?

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Win2K3 SP1 SBS
> >
> > I am seeing several (!) Failed Audits in my Security Event Log. Most
> > of them look like this:
> > Logon failure:
> > Reason: Unknown user name or bad password
> > Username: Administrator
> > Domain: MyIntranetDomainName
> > Logon Type: 8
> > Logon Process: IIS
> > Authentication Package: Microsoft Authentication Package v1.0
> > Workstation Name: MyServerWorkstation
> > Caller Username: MyServerWorkstation$ [Note: $ at the end]
> > Caller Domain: MyIntranetDomainName
> > Caller LogonID: (0x0, 0x3E7)
> > Caller ProcessID: 1276
> > Transited Services: -
> > Source Network address: -
> > Source Port -
> >
> > Can someone explain what this means? If we're receiving attempts to
> > access our system what counter measures should we take? We are up to
> > date on ALL (including THE most recent) MS updates and we have a very
> > long complex password.
> > TIA
>
> This is likely someone trying to gain access to the FTP server by trying to
> guess the username password, in this case it is the Built in Administrator.
> A check of the FTP server's logfiles will verify this.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

mrecomm101 · 09-01-2007

Sorry Kevin, it was a backlog of email notifications that was occuring. Still
curious as to getting a straightforward answer on how to stop these types of
attacks.

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Win2K3 SP1 SBS
> >
> > I am seeing several (!) Failed Audits in my Security Event Log. Most
> > of them look like this:
> > Logon failure:
> > Reason: Unknown user name or bad password
> > Username: Administrator
> > Domain: MyIntranetDomainName
> > Logon Type: 8
> > Logon Process: IIS
> > Authentication Package: Microsoft Authentication Package v1.0
> > Workstation Name: MyServerWorkstation
> > Caller Username: MyServerWorkstation$ [Note: $ at the end]
> > Caller Domain: MyIntranetDomainName
> > Caller LogonID: (0x0, 0x3E7)
> > Caller ProcessID: 1276
> > Transited Services: -
> > Source Network address: -
> > Source Port -
> >
> > Can someone explain what this means? If we're receiving attempts to
> > access our system what counter measures should we take? We are up to
> > date on ALL (including THE most recent) MS updates and we have a very
> > long complex password.
> > TIA
>
> This is likely someone trying to gain access to the FTP server by trying to
> guess the username password, in this case it is the Built in Administrator.
> A check of the FTP server's logfiles will verify this.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

mrecomm101 · 09-01-2007

Kevin,

I found my security hole. All my FTP sites are "denied Access except these
IPs...", except for one that was set to default "grant access to all". That
weas the one being attacked.

Hope this helps others. Thanks!

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Tom wrote:
> > Win2K3 SP1 SBS
> >
> > I am seeing several (!) Failed Audits in my Security Event Log. Most
> > of them look like this:
> > Logon failure:
> > Reason: Unknown user name or bad password
> > Username: Administrator
> > Domain: MyIntranetDomainName
> > Logon Type: 8
> > Logon Process: IIS
> > Authentication Package: Microsoft Authentication Package v1.0
> > Workstation Name: MyServerWorkstation
> > Caller Username: MyServerWorkstation$ [Note: $ at the end]
> > Caller Domain: MyIntranetDomainName
> > Caller LogonID: (0x0, 0x3E7)
> > Caller ProcessID: 1276
> > Transited Services: -
> > Source Network address: -
> > Source Port -
> >
> > Can someone explain what this means? If we're receiving attempts to
> > access our system what counter measures should we take? We are up to
> > date on ALL (including THE most recent) MS updates and we have a very
> > long complex password.
> > TIA
>
> This is likely someone trying to gain access to the FTP server by trying to
> guess the username password, in this case it is the Built in Administrator.
> A check of the FTP server's logfiles will verify this.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>