We've been getting ALOT of event 529 and 680 like below recently on our Small Business Server
2003.Logon Failure: Reason: Unknown user name or bad password User Name: demo Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SBSERVER Caller User Name: SBSERVER$ Caller Domain: EMPROD Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2160 Transited Services: - Source Network Address: - Source Port: -
It seems someone is trying to hack in from the Internet, using some software to guess at usernames and passwords. I'm wondering if anyone can give me any ideas on how they're doing it and/or how to stop it. I did a port scan from outside the network and it found 2 UDP ports open--69 and 161 (They're for SNMP and TFTP, I think). Thing is, I can't see where those ports are open in our firewall or on SBS. Also, our firewall doesn't have logging. Rats. Anyone have any ideas? I'm wondering what the username SBSERVER$ means--looks like a reference to the server itself or its C drive...?
TIA
Christina Guida