Failed Logon Events--Hack Attempt

We've been getting ALOT of event 529 and 680 like below recently on our Small Business Server


Logon Failure: Reason: Unknown user name or bad password User Name: demo Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SBSERVER Caller User Name: SBSERVER$ Caller Domain: EMPROD Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2160 Transited Services: - Source Network Address: - Source Port: -

It seems someone is trying to hack in from the Internet, using some software to guess at usernames and passwords. I'm wondering if anyone can give me any ideas on how they're doing it and/or how to stop it. I did a port scan from outside the network and it found 2 UDP ports open--69 and 161 (They're for SNMP and TFTP, I think). Thing is, I can't see where those ports are open in our firewall or on SBS. Also, our firewall doesn't have logging. Rats. Anyone have any ideas? I'm wondering what the username SBSERVER$ means--looks like a reference to the server itself or its C drive...?


Christina Guida

Reply to
Christina Guida
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.