General discussion

Locked

Event ID 529 Tracking IP Address

By Bcarder ·
I have an attempted hacker (I think) who is trying to log on to one of my client's servers. Here's the log:

Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: *************
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: administrator
Caller User Name: -
Caller Domain: -
Caller Logon I -
Caller Process I -
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
-----------------------------

There is no machine called 'administrator' on their network and it happens about 5-6 times a day at random times.

The server is an SBS 2003 running ISA 2000.

Since I'm not an ISA guru, is there any reporting or ways of tracking an IP address (since the event log does not? Any ideas?

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Event ID 529 Tracking IP ...

well ISA provides reports but you have to setup reporting in ISA to get them.

agree someone tried to get in using the administrators account. It's a basic attack using the default admin account name administrator to see if someone was smart enough rename it. NTLM is a challenge/response authentication method and is a throw back to NT and W9X days. here's a link to what hacks do with NTLM in documenting the challenge/response http://www.innovation.ch/java/ntlm.html

ISA 2000 is a pretty good proxy firewall. But on a SBS box, packet filters are created that allow traffic inside e.g. holes. These holes can be security problems whereas ISA on it's own box acts as a true proxy where no traffic ever enters into the LAN. ISA fetches the data on the LAN on behalf of the requestor, if authorized, then fowards that data to the requestor. Might consider adding a perimeter firewall between ISA and the internet.

Back to Security Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums