Announcement

Collapse
No announcement yet.

Someone trying to gain illegal access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Someone trying to gain illegal access

    Hello everyone,

    Since a few days I get this entry in my server logfiles, only the user name changes. Is there a tool to discover who is illegally trying to access our server?

    Security 529 2/8/2008 6:13 AM 1
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: hacker
    Domain:
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: AC-SVR01
    Caller User Name: AC-SVR01$
    Caller Domain: Our Domainname <<(this entry I changed)
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 1816
    Transited Services: -
    Source Network Address: -
    Source Port: -


    With best regards,

    Victor

  • #2
    Re: Someone trying to gain illegal access

    The only way to find out is to point a video camera at that workstation... is it the same one every time? Who has access to the building/workstation at that time?

    No "tool" can identify the human being who is sitting at a desk...


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Someone trying to gain illegal access

      Is AC-SVR01 an actual server? If so, can someone get physical access to it?

      Regardless, I'd check the logs on it, see if anyone's attempting to remote into it, or is using a separate remote tool to get GUI access, and is attempting to login with a domain login.

      To clarify, I'm thinking that someone may be using a VNC tool to access the screen, but still needs a network login.
      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Someone trying to gain illegal access

        Hello Wired,

        AC-SVR01 is a actual server which remotely can be accessed with RDP (3389). You maybe right that someone tries to access the server with a remote access program.

        Is there a alternative to Microsoft RDP (3389)? or any neccesary steps which can be made to prevent this?

        Any help and suggestions appreciated..

        Best regards,

        Victor

        Comment


        • #5
          Re: Someone trying to gain illegal access

          What about this?
          http://www.petri.com/securing_rdp_communications.htm

          However I don't understand why you would unsecure publish RDP to the Internet.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Someone trying to gain illegal access

            Hello Marcel,

            Securing RDP during session with a SSL Certificate is ok but does it keep intruders away?
            In other words can I configure the SBS 2003 box to only accept SSL encrypted connections thru port 3389 (RDP)?
            And yes how..? and will it keep intruders away from trying to connect to the SBS 2003 box or dispose their identities.

            Anyway thanks for the SSL tip, I will try this..

            With best regards,

            Victor

            Comment


            • #7
              Re: Someone trying to gain illegal access

              You didn't tell me if you use a firewall so I asume you use ISA server.

              Unplug the internet connection if you want to make sure that everything is safe.
              A Hacker can find a security leak in every port you opens so is RDP.
              However with secure RDP you'll make sure that nobody can sniffer you're username and password which make it more safe..

              A better solution is disabling RDP on the outside and setup a VPN connection to the sbsbox and then start a RDP session.

              An other option is to publish RDP on an other port:
              http://www.isaserver.org/articles/2004pubts.html

              Most script kiddies / hackers will try the default ports unless you really have some interesting stuff for them. Otherwise it would take to much time to scan all ports. Especially you configure portscan alerts in ISA.

              http://www.microsoft.com/technet/com...ip/st1205.mspx
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Someone trying to gain illegal access

                Hello Dumber,

                I followed your advise and changed the RDP listening port on the SBS 2003 Server but now I can't connect anymore to the server thru Remote Web Workspace.

                Is there a way to let Remote Web Workspace (connect to server desktop) know that the RDP port ont he server is changed?

                With best regards,

                Victor

                Comment


                • #9
                  Re: Someone trying to gain illegal access

                  Logon type 3 will show when someone is hammering on your RWW also.

                  Comment


                  • #10
                    Re: Someone trying to gain illegal access

                    Originally posted by victor Max View Post
                    Hello Dumber,

                    Is there a way to let Remote Web Workspace (connect to server desktop) know that the RDP port on the server is changed?

                    With best regards,

                    Victor
                    Try this:
                    http://www.sbsfaq.com/Lists/FAQs/DispForm.aspx?ID=6
                    TIA

                    Steven Teiger [SBS-MVP(2003-2009)]
                    http://www.wintra.co.il/
                    sigpic
                    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                    We donít stop playing because we grow old, we grow old because we stop playing.

                    Comment

                    Working...
                    X