Multiple Logon failures in the event log

Discussion in 'Computer Security' started by Apt Sa, Dec 5, 2005.

  1. Apt Sa

    Apt Sa Guest

    Hi,
    I have a DC on my network that is not mapped to the outside network. It (my
    server) can browse the web via port 80 or 443 but according to my sys
    engineer no one should be able to attach to it directly from the internet
    (and BTW, I only browse to support sites and do not use this feature often).
    This office recently moved to a new location and my server went with them.
    Since then I have been intermittently flooded with logon failures from
    almost every account on my domain from unknown machines with IP's on the
    Internet. The admin accounts appear to have been targeted more than others.
    I have done a spyware scan on my DC and it came up clean. I just upgraded
    my virus software to the latest version and scan came up clean as well.
    Could anyone point me in the direction to troubleshoot what is causing this?
    Thanks in advance.
    Apt Sa, Dec 5, 2005
    #1
    1. Advertising

  2. Apt Sa

    Donnie Guest

    "Apt Sa" <> wrote in message
    news:...
    > Hi,
    > I have a DC on my network that is not mapped to the outside network. It

    (my
    > server) can browse the web via port 80 or 443 but according to my sys
    > engineer no one should be able to attach to it directly from the internet
    > (and BTW, I only browse to support sites and do not use this feature

    often).
    > This office recently moved to a new location and my server went with them.
    > Since then I have been intermittently flooded with logon failures from
    > almost every account on my domain from unknown machines with IP's on the
    > Internet. The admin accounts appear to have been targeted more than

    others.
    > I have done a spyware scan on my DC and it came up clean. I just upgraded
    > my virus software to the latest version and scan came up clean as well.
    > Could anyone point me in the direction to troubleshoot what is causing

    this?
    > Thanks in advance.
    >

    ##################################
    It sounds like your server now has an external IP address when it had an
    internal IP address before. In other words, it is positioned differently
    now, for example, it is between the modem and the router instead of behind
    the router. If it were behind the router it would have an internal IP (RFC
    1700). I din't think it has anything to do w/ spyware or viruses.
    donnie.
    Donnie, Dec 6, 2005
    #2
    1. Advertising

  3. Apt Sa

    Moe Trin Guest

    On Tue, 06 Dec 2005in the Usenet newsgroup alt.computer.security, in article
    <2E4lf.230352$>, Donnie wrote:

    >"Apt Sa" <> wrote


    >> I have a DC on my network that is not mapped to the outside network.
    >> It (my server) can browse the web via port 80 or 443 but according to
    >> my sys engineer no one should be able to attach to it directly from
    >> the internet (and BTW, I only browse to support sites and do not use
    >> this feature often).


    http://www.iana.org/assignments/port-numbers

    Web browsing (ports 80 and 443) are but two of over 4500 services used
    on the Internet. Just because the only tool you use is a web browser
    doesn't mean that's all everyone else uses.

    >> This office recently moved to a new location and my server went with
    >> them. Since then I have been intermittently flooded with logon failures
    >> from almost every account on my domain from unknown machines with IP's
    >> on the Internet. The admin accounts appear to have been targeted more
    >> than others.


    Welcome to the Internet. Why is your firewall allowing access from the
    world to this server? Such access should be limited to those addresses
    that need to connect - such as your present location.

    >It sounds like your server now has an external IP address when it had an
    >internal IP address before. In other words, it is positioned differently
    >now,


    Agreed

    >for example, it is between the modem and the router instead of behind
    >the router.


    or the whole of the "new" network is public addresses, rather than
    private. None the less, the actual traffic hasn't been identified by
    the O/P. It _could_have_ been that the original site had a decent
    firewall setup, now lacking.

    >If it were behind the router it would have an internal IP (RFC 1700).


    3232 Assigned Numbers: RFC 1700 is Replaced by an On-line Database. J.
    Reynolds, Ed.. January 2002. (Format: TXT=3849 bytes) (Obsoletes
    RFC1700) (Status: INFORMATIONAL)

    but actually, you mean RFC1918. (See also RFC3330)

    >I din't think it has anything to do w/ spyware or viruses.


    Agreed. It's more a firewall issue to protect an obvious target.

    Old guy
    Moe Trin, Dec 6, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CJH
    Replies:
    0
    Views:
    1,907
  2. Ted Jones
    Replies:
    1
    Views:
    3,167
    old jon
    Aug 29, 2005
  3. Jack
    Replies:
    1
    Views:
    512
    voipguy
    Feb 22, 2005
  4. =?Utf-8?B?U2VhbndpbmQ=?=

    ANONYMOUS LOGON in event viewer\security

    =?Utf-8?B?U2VhbndpbmQ=?=, May 2, 2006, in forum: Windows 64bit
    Replies:
    6
    Views:
    5,138
    =?Utf-8?B?U2VhbndpbmQ=?=
    May 2, 2006
  5. =?Utf-8?B?Q2FybG9z?=

    Event ID 7026 error in event viewer

    =?Utf-8?B?Q2FybG9z?=, Apr 25, 2007, in forum: Windows 64bit
    Replies:
    6
    Views:
    13,416
    =?Utf-8?B?Q2FybG9z?=
    Apr 27, 2007
Loading...

Share This Page