|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/1/2012 9:14:03 PM
Posts: 3,
Visits: 3
|
|
Server 2008 R2, over 7000 NULL SID Event ID 4625's in the last 3 days, none before that, with Source IPs in Greece, France, Switzerland, Croatia, Chicago picked at random from log. Using ports in the 55,000s, some below port 5000. Account names range from Administrator to BESAdmin to user5 etc. No BESAdmin or user5 around these parts. Kinda creepy, how concerned should I be?
Thanks
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER1$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: BESAdmin
Account Domain: SERVER1
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x12f0
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SERVER1
Source Network Address: 94.230.215.228
Source Port: 53535
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER1$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin2
Account Domain: SERVER1
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0xa00
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SERVER1
Source Network Address: 79.247.123.109
Source Port: 49348
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER1$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user5
Account Domain: SERVER1
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x860
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SERVER1
Source Network Address: 188.129.87.175
Source Port: 60163
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
|
|
|
|
|
Genius
Group: Forum Members
Last Login: 12/22/2011 4:55:21 PM
Posts: 12,
Visits: 3
|
|
Hi
Check for virus/trojan on server.
Regards
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/1/2012 9:14:03 PM
Posts: 3,
Visits: 3
|
|
I ran Symantec Endpoint Protection Small Business Edition, updated today, and all it found was 1 tracking cookie. 
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/1/2012 9:14:03 PM
Posts: 3,
Visits: 3
|
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Most likely an automated attack brute forcing its way through IPs, ports, user names and passwords. Without knowing more about your server and network difficult to offer more. What's open on your server to the Internet?
|
|
|
|