Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Attack on my NT4

Status
Not open for further replies.
vectorw16

vectorw16

Technical User
Jan 21, 2002
54
CA
I have a PDC & BDC running NT4.0 both fully patched!

In last week security log I see many event 529 Failed Logon/logoff attemps
Reason: Unknown user name or bad password
username: varry (home, computer, admin, administrator, web, www, domain, guest...)
domain :
Logon type : 3
Logon process: Advapi
Workstation : the name of my PDC

Ok it's a hacker no doubt about that ... but HOW
Most username don't exist in my organization but, just knowing they can try makes me worry !

I'm behind a firewall the only open port is 25 for mail I have outbound rules blocking everything except what I need !

Suggestions ?

 
Sort by date Sort by votes
Are you running iis? Any other services that are port forwarded to the server? As long as passwords are secure, should be safe, also report to your isp.

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
 
Upvote 0 Downvote
No I'm not running IIS... the only port forwarded to my server is 25 ...

Is it possible to try to log in a server by this port?

My password are secure, but can I do something to block this ?

thanks
 
Upvote 0 Downvote
Hmmm... I've never had to cope with advapi, but it appears to be a certain software component that drives certain security components, during a logon process. I also see hits referencing virus activity, but could just be a coincidence. Regardless, run an updated virus scan to be safe. And I don't think a direct login can be attempted via port 25, but you never know what tools are out there.

Does the activity continue or was it a one time thing?

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
 
Upvote 0 Downvote
looks like some login class from what i found in the internet....did you went to some strange internet sites recently? this class can only run on a script or maybe some program keygen for example....make sure you have no strange process running at your server right now....

SET CRTL ALT DEL = #728
-----------------------
greg
 
Upvote 0 Downvote
The attack last near a month, started on the 1 august and stopped on the 21 !!! But nothing since !

I'm running an up to date anti-virus and I'm doing a full scan every night !

Personally I didn't visit any strange sites, + I never use the internet on my servers for security reasons !

This attack is really bugging me ! How could I check if the attack didn't came from inside my network ?

Thanks for your feedback !
 
Upvote 0 Downvote
Most likely was the PC that was attacking you finally got anti-virus or turned off. Since it attacked so frequently, I would guess it was on your network rather than outside.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
426
DrB0b
DrB0b
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
337
mikehook
mikehook
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
300
maybeimaleo
maybeimaleo
froggy8
  • Locked
  • Question
cant add my windows 7 pc to my domain 1
Replies
3
Views
337
hairlessupportmonkey
hairlessupportmonkey
edgar28
  • Locked
  • Question
Question on Network cards - Windows Server 2019
Replies
1
Views
277
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top