Failed logins...

By hoosiertechguy ·
I manage several servers, recently, I've noticed that 3 or 4 of these servers are logging hundreds of failed login attempts via multiple ports that aren't even open in the router. All of the servers are Server 2003 systems and the failed logins are utilizing usernames that indicate that this is an active attempt to hack the server, e.g. admin, administrator, pos, sales, manager...etc. Has anyone been experiencing this? Most of the servers are behind an older Linksys router, but, one of them is behind a Cisco ASA 5500; any ideas?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Check for an infection on your LAN.

by Rob Kuhn In reply to Failed logins...

Since these are on the inside(?) of the LAN I'd check your client machines as well as your servers for any MalWare/Virus'. It could be an infected machine.

Is there a pattern? In other words does it seem to happen at a specific day and time?

Are you seeing any abnormal or suspicious activity at the firewall? Is there a breech? Verify that your ports are locked down.

Do you have remote workers? People that VPN into your LAN? Be sure to check those too!

A friend of mine working at another company had a VPN worker who left her connection on 24/7. There was an idle timer set to disconnect VPN connections but because she also left her Outlook running it kept the connection active. I don't need to point out the huge security hole here! :)

Related Discussions

Related Forums