Hi All, I've recently noticed that multiple malicious log on attempts have started occuring on our SBS 2003 Premium R2 server. Thursday 4 attempts, Friday 15 attempts, W/E none, today Monday about 1000 atempts over 2 hours (now stopped).
This has never happened before over some seven years. The only change to the server (other than Microsoft Updates) has been the installation of Symantec Mail Security for Exchange and the logon attempts started within a couple of days of this. Symantec don't think that this is the cause but I was wondering whether the Mail Security may have opened a previously blocked port. There's no source port or network address info in the security logs so I have no idea how to find out the cause or how what action to take. Can anyone help please? here's an example log entry:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 19/08/13
Time: 11:18:46
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: anderson (a random changing name)
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVERNAME
Caller User Name: SERVERNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1516
Transited Services: -
Source Network Address: -
Source Port:
Jon Lewis