Failure Audits in Event log question

S

Steve

Hi,

Lately, we're getting a flurry of Failure Audit events in our Security log
on our Win2K web server.

Examples:

Logon Failure:
Reason: Unknown user name or bad password
User Name: leecht
Domain: IPDAEW0061MIA
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: IPDAEW0061MIA


EVENT # 9005
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Account Logon
EVENT ID 681
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME IPDAEW0061MIA
TIME 12/19/2003 11:34:21 AM
MESSAGE The logon to account: anyone
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IPDAEW0061MIA
failed. The error code was: 3221225572

EVENT # 10043
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Account Logon
EVENT ID 681
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME IPDAEW0061MIA
TIME 12/19/2003 11:38:35 AM
MESSAGE The logon to account: pwrchute
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IPDAEW0061MIA
failed. The error code was: 3221225572

We don't have accounts pwrchute or leecht and I'm basically the only person
with access to the server (outside of a network administrator at the hosting
site).

1) Are these hacker attempts (they seem to be because there are a ton of
them all of a sudden)?

2) Is there any way to block these attempts (we have a hardware firewall
supposedly)?

3) Is it possible to tell what method they're using to try and access our
server (e.g., terminal services? FTP? other?)

Thanks!

Steve
 
S

Steven L Umbach

This is someone trying to gain access through your web site [ IIS logon
process]. The error code was: 3221225572 means that they are using a non
existant user account. Either you are not using anonymous access or they are
somehow trying to gain access to files that are not available for anonymous
access. You could try to examine your firewall or possibly IIS logs to
determine what ip address these attempts are coming from by correlating the
times in the security log and then add a firewall rule to block all access
to that/those addresses. If you have not done so, you should consider
running the IIS Lockdown/URL scan tool on your web server AFTER backing up
the server and your IIS configuration. There is also a newsgroup dedicated
to IIS security. --- Steve

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/locktool.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;325864
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event 529 and 681 5
Security Log Help 9
680 & 529 Failure Audits 1
Security Event Log Failure Audit 681 3
Security log in Event Viewer shows Failure Audits from other pcs???? 6
event id 675, 681, 529 every 2, 2.5 minutes 2
change administrator password 1
Failure Audit 1

Top