General discussion

Locked

Get IP address of remote login user

By haagr ·
I have a computer not on a domain. When I reloaded it with Windows 2000, I set the security policy to let me know about failed and succesful logins.

I have a bunch of login attempts from someone that I don't know, trying to use the administrator account (which I renamed, so obviously they are hacking). Is there a way to find out this person's IP address? The Security Event Log doesn't list it.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Get IP address of remote login user

by Joseph Moore In reply to Get IP address of remote ...

The short answer is no.
The Security log does not log the IP address of the connecting machine. It only records the machine name, as you can see in your logs.
You are getting Event ID 529, right?
Then yes, someone is "hacking" your server, but failing.

You could do a few things here. If you can determine at what times this happens, you can be at the server, and do NETSTAT -AN at the Command Prompt to get a list of all ports.
If you can time it that you run the Netstat while the hacking attempt is going on, you will see Established connections to your machines TCP port 139 (or TCP port 445, depending on your verison of Windows).
The IP address that is making the connection on that port will be listed.
Bingo! You've got him!
The problem is that you need to be at the server while the hack is going on. So basically, if you can tell that hack attempts occur every day at 3PM, you could open up a command prompt window, and the Security log. Keep refreshing the Security log, and wait until a new record is written. Then flip to the Command Prompt and run the Netstat.

Collapse -

Get IP address of remote login user

by Joseph Moore In reply to Get IP address of remote ...

Now, here come the scolding.
IF someone is hacking your system using these ports, then you have NetBIOS open to the Internet, and THAT IS BAD!
YOu need a firewall for this box, even a software based firewall like ZoneAlarm will prevent this.
Get secure!

Ok, enough preaching.

hope this helps

Collapse -

Get IP address of remote login user

by haagr In reply to Get IP address of remote ...

Poster rated this answer

Collapse -

Get IP address of remote login user

by haagr In reply to Get IP address of remote ...

How do I get rid of NetBIOS, and why is it there in the first place?

Collapse -

Get IP address of remote login user

by haagr In reply to Get IP address of remote ...

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums