DCOM error - Am I being attacked? - URGENT

Discussion in 'Server Security' started by Bill Nguyen, Sep 3, 2004.

  1. Bill Nguyen

    Bill Nguyen Guest

    I got this DCOM error in system event log.

    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10003
    Date: 9/3/2004
    Time: 10:29:21 AM
    User: N/A
    Computer: RASSERVER
    Description:
    Access denied attempting to launch a DCOM Server using
    DefaultLaunchPermssion. The server is:
    {00020906-0000-0000-C000-000000000046}
    The user is Unavailable/Unavailable, SID=Unavailable.


    There's also numerous failed attempts login in from this machine. IS there
    anyway to detect where this attack came from?
    Thanks a million!

    Bill


    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 9/3/2004
    Time: 11:58:26 AM
    User: NT AUTHORITY\SYSTEM
    Computer: RASSERVER
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: krbtgt
    Domain: JORON-TE09SB79M
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: JORON-TE09SB79M
     
    Bill Nguyen, Sep 3, 2004
    #1
    1. Advertisements

  2. With a software or hardware firewall to log the IP address. www.sygate.com,
    www.kerio.com, www.zonealarm.com are free. Or if you're using Windows 2003
    Server, you might be able to use the included firewall.
     
    Karl Levinson [x y] mvp, Sep 4, 2004
    #2
    1. Advertisements

  3. Bill Nguyen

    Bill Nguyen Guest

    Thanks Karl;
    BN
     
    Bill Nguyen, Sep 7, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.