Is this someone trying to hack our system?

[projectpete]

I have a windows 2000 advanced server which has terminal services configured for the administrator account with cisco routers, I was looking at the security audits in the event log and I found many of these entries (we have no computers named GARY-HOME):

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/18/2006
Time: 3:00:52 PM
User: NT AUTHORITY\SYSTEM
Computer: VCLPDC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: GARY-HOME
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: GARY-HOME

 

[AceHigh1234]

If it's a terminal server, than I assume it is accessible by employess who are - at home. Someone (Gary?) has a home computer that is part of the GARY-HOME workgroup and it attempting to connect to the terminal server improperly. I'd bet it's a legitimate user (first, no hacker would belong to a workgroup called GARY-HOME). This is the scenario I see. The user opens REmote Desktop Connection, and fills in the IP of your terminal server, his office username, and his office password. The domain field is automatically filled in with the LOCAL domain or workgroup name. The user forgot/didn't know to change it, and knew their password and username was correct, so they just kept trying and kept trying..
Please let me know how this turns out

 

[projectpete]

We only have about 80 computer users which I know all pretty well. Nobody knew I had even set up terminal services on the server let alone them knowing the server ip address.

 

[dglienna]

They might have tried to log on to another Terminal Server, or someone could have seen that the ports were open on your server. You can change the default port that TS uses. Users would have to add ort# to the address

-David
2006 Microsoft Most Valueable Professional (MVP)
2006 Dell Certified System Professional (CSP)

 

[ncotton]

dont suppose you have any wireless connections on that device, or anyone using a wireless enabled card on a machine on the network as a rouge access point.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[projectpete]

no there is no wireless in the building

 

[AceHigh1234]

Another scenario for you then. Someone was IP scanning on port 3389 (probablly other ports as well) and looking for open or unsecured Terminal servers or XP machines with remote desktop running, and then probablly trying every default username/password combo they could think of. The specific error message you posted shows the user as Administrator because this Gary fellow is the administrator of his local machine. Anyways, I'd start off with making sure you've got a good password on you account, and then do as dgellina and publish Terminal Services to a non-standard port. check out this link for instructions:

http://www.isaserver.org/tutorials/...Terminal_Services_to_a_NonStandard_Port_.html

Or, if you have a good router, you can use port redirection to redirect all incomming TCP traffic on, say, port 8001 to port 3389 (this is how I did it).

when you go to connect, you will need to type the remote server name as follows:

123.23.13.12:8001 where 8001 is the port you are publishing to. I'd pick a port number that is either very high, or an unused port # down among the standard ports