Multiple Logon failures in the event log

Hi,
I have a DC on my network that is not mapped to the outside network. It (my
server) can browse the web via port 80 or 443 but according to my sys
engineer no one should be able to attach to it directly from the internet
(and BTW, I only browse to support sites and do not use this feature often).
This office recently moved to a new location and my server went with them.
Since then I have been intermittently flooded with logon failures from
almost every account on my domain from unknown machines with IP's on the
Internet. The admin accounts appear to have been targeted more than others.
I have done a spyware scan on my DC and it came up clean. I just upgraded
my virus software to the latest version and scan came up clean as well.
Could anyone point me in the direction to troubleshoot what is causing this?
Thanks in advance.

Apt Sa

"Apt Sa" <> wrote in message
news:...
> Hi,
> I have a DC on my network that is not mapped to the outside network. It
(my
> server) can browse the web via port 80 or 443 but according to my sys
> engineer no one should be able to attach to it directly from the internet
> (and BTW, I only browse to support sites and do not use this feature
often).
> This office recently moved to a new location and my server went with them.
> Since then I have been intermittently flooded with logon failures from
> almost every account on my domain from unknown machines with IP's on the
> Internet. The admin accounts appear to have been targeted more than
others.
> I have done a spyware scan on my DC and it came up clean. I just upgraded
> my virus software to the latest version and scan came up clean as well.
> Could anyone point me in the direction to troubleshoot what is causing
this?
> Thanks in advance.
>
##################################
It sounds like your server now has an external IP address when it had an
internal IP address before. In other words, it is positioned differently
now, for example, it is between the modem and the router instead of behind
the router. If it were behind the router it would have an internal IP (RFC
1700). I din't think it has anything to do w/ spyware or viruses.
donnie.

Donnie

On Tue, 06 Dec 2005in the Usenet newsgroup alt.computer.security, in article
<2E4lf.230352$>, Donnie wrote:

>"Apt Sa" <> wrote

>> I have a DC on my network that is not mapped to the outside network.
>> It (my server) can browse the web via port 80 or 443 but according to
>> my sys engineer no one should be able to attach to it directly from
>> the internet (and BTW, I only browse to support sites and do not use
>> this feature often).

http://www.iana.org/assignments/port-numbers

Web browsing (ports 80 and 443) are but two of over 4500 services used
on the Internet. Just because the only tool you use is a web browser
doesn't mean that's all everyone else uses.

>> This office recently moved to a new location and my server went with
>> them. Since then I have been intermittently flooded with logon failures
>> from almost every account on my domain from unknown machines with IP's
>> on the Internet. The admin accounts appear to have been targeted more
>> than others.

Welcome to the Internet. Why is your firewall allowing access from the
world to this server? Such access should be limited to those addresses
that need to connect - such as your present location.

>It sounds like your server now has an external IP address when it had an
>internal IP address before. In other words, it is positioned differently
>now,

Agreed

>for example, it is between the modem and the router instead of behind
>the router.

or the whole of the "new" network is public addresses, rather than
private. None the less, the actual traffic hasn't been identified by
the O/P. It _could_have_ been that the original site had a decent
firewall setup, now lacking.

>If it were behind the router it would have an internal IP (RFC 1700).

3232 Assigned Numbers: RFC 1700 is Replaced by an On-line Database. J.
Reynolds, Ed.. January 2002. (Format: TXT=3849 bytes) (Obsoletes
RFC1700) (Status: INFORMATIONAL)

but actually, you mean RFC1918. (See also RFC3330)

>I din't think it has anything to do w/ spyware or viruses.

Agreed. It's more a firewall issue to protect an obvious target.

Old guy

Moe Trin