Hosting Provided By

Brute-force and IIS/w2k logs

From: Cushmeer, Barnar <BarnarCushmeer(at)Enthusian.com>
Date: Tue Apr 01 2003 - 16:15:40 EST

Hello,

I've just reviewed a short range of security logs on a W2k/IIS box and there is an over abundance of repeated invalid login attempts. The attempts seem to focus on weak user ids (ie; admin, administrator, root, sql, etc.). However I've seen a few successful "anonymous" login/logouts.

My two questions are.. is the "anonymous" login something to be concerned about and what's the best way(s) to gather more relevant log data about the source of the attacks beyond the scant information provided in the Security log (machine name, time/date). Is there a way to capture the IP address of the source?

	Thank you.
	-BC


-------------------------------------------------------------------

SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics Received on Wed Apr 2 12:15:24 2003

This message: [ Message body ]
Next message: Craig Humphrey: "RE: Email Encryption Between Servers"
Previous message: Michael Leigh: "RE: Email Encryption Between Servers"
Reply: Harlan Carvey: "re: Brute-force and IIS/w2k logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:59 EDT