Failer login attempt

08-06-2010

This apparently is a hack attempt, correct. I've had 1073 attempts to log in
as administrator from what appears to be a site in italy. Here is one entry
from the event log.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/3/2010
Time: 5:23:50 AM
User: NT AUTHORITY\SYSTEM
Computer: SAMSON
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: SUNRAY
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: SAMSON
Caller User Name: SAMSON$
Caller Domain: SUNRAY
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 10072
Transited Services: -
Source Network Address: 79.14.254.179
Source Port: 2968

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

08-06-2010

I realize I should have deleted the domain info here. Modirator could you
either x out that info of just delete the post.

"Joe#2" wrote:

> This apparently is a hack attempt, correct. I've had 1073 attempts to log in
> as administrator from what appears to be a site in italy. Here is one entry
> from the event log.
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 8/3/2010
> Time: 5:23:50 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SAMSON
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: admin
> Domain: SUNRAY
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: SAMSON
> Caller User Name: SAMSON$
> Caller Domain: SUNRAY
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 10072
> Transited Services: -
> Source Network Address: 79.14.254.179
> Source Port: 2968
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>

08-06-2010

Errm...no moderators on nntp. Your posted is now archived in Google
forever more....

At least it wasn't anything more than a domain name :-)

On Fri, 6 Aug 2010 06:43:03 -0700, Joe#2
<> wrote:

>I realize I should have deleted the domain info here. Modirator could you
>either x out that info of just delete the post.
>
>"Joe#2" wrote:
>
>> This apparently is a hack attempt, correct. I've had 1073 attempts to log in
>> as administrator from what appears to be a site in italy. Here is one entry
>> from the event log.
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 529
>> Date: 8/3/2010
>> Time: 5:23:50 AM
>> User: NT AUTHORITY\SYSTEM
>> Computer: SAMSON
>> Description:
>> Logon Failure:
>> Reason: Unknown user name or bad password
>> User Name: admin
>> Domain: SUNRAY
>> Logon Type: 10
>> Logon Process: User32
>> Authentication Package: Negotiate
>> Workstation Name: SAMSON
>> Caller User Name: SAMSON$
>> Caller Domain: SUNRAY
>> Caller Logon ID: (0x0,0x3E7)
>> Caller Process ID: 10072
>> Transited Services: -
>> Source Network Address: 79.14.254.179
>> Source Port: 2968
>>
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>

08-06-2010

Hi,

Block that source IP address at your firewall, or better still, the entire
subnet.

Regards Colin.

"Joe#2" wrote:

> This apparently is a hack attempt, correct. I've had 1073 attempts to log in
> as administrator from what appears to be a site in italy. Here is one entry
> from the event log.
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 8/3/2010
> Time: 5:23:50 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SAMSON
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: admin
> Domain: SUNRAY
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: SAMSON
> Caller User Name: SAMSON$
> Caller Domain: SUNRAY
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 10072
> Transited Services: -
> Source Network Address: 79.14.254.179
> Source Port: 2968
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>

08-07-2010

Bummer on google. Oh sigh!
Yes that port will be blocked tonight.

Thanks for input.

"Colin" wrote:

> Hi,
>
> Block that source IP address at your firewall, or better still, the entire
> subnet.
>
> Regards Colin.
>
> "Joe#2" wrote:
>
> > This apparently is a hack attempt, correct. I've had 1073 attempts to log in
> > as administrator from what appears to be a site in italy. Here is one entry
> > from the event log.
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 8/3/2010
> > Time: 5:23:50 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: SAMSON
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: admin
> > Domain: SUNRAY
> > Logon Type: 10
> > Logon Process: User32
> > Authentication Package: Negotiate
> > Workstation Name: SAMSON
> > Caller User Name: SAMSON$
> > Caller Domain: SUNRAY
> > Caller Logon ID: (0x0,0x3E7)
> > Caller Process ID: 10072
> > Transited Services: -
> > Source Network Address: 79.14.254.179
> > Source Port: 2968
> >
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Access Denied error while edit some of the GPOs in Windows 2003 AD	Laljeev M	Active Directory	24	03-25-2010 01:40 PM
IE 8 Download From FTP Site Without Login	WCarp	Internet Explorer	1	02-17-2010 02:36 PM
2nd Domain in a 2 domain forest cannot be contacted	David Alge	DNS Server	30	01-21-2010 05:26 AM
Re: Login time excessive. Does not hibernate		Windows Vista General Discussion	2	01-04-2010 05:53 PM
User login issue	John	Windows Vista Installation	7	05-24-2007 05:43 PM