0

The Event Viewer for my Windows Server 2003 machine is flooded with these 540 login attempts from IP addresses in foreign countries. It looks like somebody is trying to access my machine - what sort of logon attempt could this be?

Is there anything I can do besides blocking the subnet with my hardware firewall?

Successful Network Logon:
User Name:  
Domain:     
Logon ID:       (0x0,0xAFB92F)
Logon Type: 3
Logon Process:  NtLmSsp 
Authentication Package: NTLM
Workstation Name:   MATE-5BAD844B02
Logon GUID: -
Caller User Name:   -
Caller Domain:  -
Caller Logon ID:    -
Caller Process ID: -
Transited Services: -
Source Network Address: 84.2.197.145
Source Port:    0
Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
user66827
  • 215
  • 2
  • 3
  • 9
  • These can indeed be logon attempts. My next question is do you have this server firewalled? – GregD Apr 06 '11 at 15:34
  • Yes, I am running a hardware firewall and just started adding the offending subnets to an ACL. Is that the best way to handle this? – user66827 Apr 06 '11 at 15:36
  • Are you allowing remote desktop from the internet? – GregD Apr 06 '11 at 15:37
  • RDP is restricted to our office only, everything else on 3389 is blocked. – user66827 Apr 06 '11 at 15:39
  • What ports do you have open? Whether you can block this depends on the purpose of the server, but you should be blocking all ports coming in from the net, then allowing only specific, necessary ones (so that you know where to look when this happens). Ports to look at are all of the microsoft services. 445, 135.. 389 if it's a DC, 1433 if it's a MSSQL server, etc... Blocking the subnet is pointless, as a majority of automated attacks come from botnets with nodes all over the world. – Shane Madden Apr 06 '11 at 15:51

1 Answers1

1

Event ID 540 for Logon Type 3 is a successfull network logon. Do you have IIS installed on the server running a publicly accessible web site? If so, that's the most likely source of the logons.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172