Anonymous Login attemps from IPs all over Asia, how do I stop them from being able to do this?
Posted
by
Ryan
on Server Fault
See other posts from Server Fault
or by Ryan
Published on 2011-01-20T16:54:42Z
Indexed on
2012/03/26
11:33 UTC
Read the original article
Hit count: 258
We had a successful hack attempt from Russia and one of our servers was used as a staging ground for further attacks, actually somehow they managed to get access to a Windows account called 'services'. I took that server offline as it was our SMTP server and no longer need it (3rd party system in place now).
Now some of our other servers are having these ANONYMOUS LOGIN attempts in the Event Viewer that have IP addresses coming from China, Romania, Italy (I guess there's some Europe in there too)... I don't know what these people want but they just keep hitting the server. How can I prevent this?
I don't want our servers compromised again, last time our host took our entire hardware node off of the network because it was attacking other systems, causing our services to go down which is really bad.
How can I prevent these strange IP addresses from trying to access my servers?
They are Windows Server 2003 R2 Enterprise 'containers' (virtual machines) running on a Parallels Virtuozzo HW node, if that makes a difference. I can configure each machine individually as if it were it's own server of course...
UPDATE: New login attempts still happening, now these ones are tracing back to Ukraine... WTF.. here is the Event:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xB4FEB30C)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: REANIMAT-328817
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 94.179.189.117
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Here is one from France I found too:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 1/20/2011
Time: 11:09:50 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: QA
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xB35D8539)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: COMPUTER
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 82.238.39.154
Source Port: 0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
© Server Fault or respective owner