Anonymous Login attemps from IPs all over Asia, how do I stop them from being able to do this?

Posted by Ryan on Server Fault See other posts from Server Fault or by Ryan
Published on 2011-01-20T16:54:42Z Indexed on 2012/03/26 11:33 UTC
Read the original article Hit count: 258

We had a successful hack attempt from Russia and one of our servers was used as a staging ground for further attacks, actually somehow they managed to get access to a Windows account called 'services'. I took that server offline as it was our SMTP server and no longer need it (3rd party system in place now).

Now some of our other servers are having these ANONYMOUS LOGIN attempts in the Event Viewer that have IP addresses coming from China, Romania, Italy (I guess there's some Europe in there too)... I don't know what these people want but they just keep hitting the server. How can I prevent this?

I don't want our servers compromised again, last time our host took our entire hardware node off of the network because it was attacking other systems, causing our services to go down which is really bad.

How can I prevent these strange IP addresses from trying to access my servers?

They are Windows Server 2003 R2 Enterprise 'containers' (virtual machines) running on a Parallels Virtuozzo HW node, if that makes a difference. I can configure each machine individually as if it were it's own server of course...

UPDATE: New login attempts still happening, now these ones are tracing back to Ukraine... WTF.. here is the Event:

Successful Network Logon:
    User Name:  
    Domain:     
    Logon ID:       (0x0,0xB4FEB30C)
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   REANIMAT-328817
    Logon GUID: -
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 94.179.189.117
    Source Port:    0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Here is one from France I found too:

Event Type: Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   540
Date:       1/20/2011
Time:       11:09:50 AM
User:       NT AUTHORITY\ANONYMOUS LOGON
Computer:   QA
Description:
Successful Network Logon:
    User Name:  
    Domain:     
    Logon ID:       (0x0,0xB35D8539)
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   COMPUTER
    Logon GUID: -
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 82.238.39.154
    Source Port:    0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

© Server Fault or respective owner

Related posts about windows-server-2003

Related posts about security