I'm running IIS6 Windows2003, and as you'll see very quickly.. I'm pretty new to this stuff.
Lately I've been getting bombarded with login attempts.... sometimes several in the same second, and it can last for hours. The event viewer shows the following information for the failed login:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Admin
Domain: AXXXXX
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHE NTICATION_PACKA GE_V1_0
Workstation Name: BXXXXX (my server's name)
Caller User Name: BXXXXX$
Caller Domain: AXXXXX (my domain)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1812
Transited Services: -
Source Network Address: -
Source Port: -
I don't know much about the authentication process... but what is the significance of 'Logon Process: IIS' ? It seems to me that they're just trying to login into the server itself... like somebody would remotely log in to a server. Does this mean they're logging in to IIS itself? I'm confused.... Also, any advice on dealing with these attacks, or finding out useful information (like finding the ip address that its coming from) would be greatly appreciated.
Lately I've been getting bombarded with login attempts.... sometimes several in the same second, and it can last for hours. The event viewer shows the following information for the failed login:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Admin
Domain: AXXXXX
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHE NTICATION_PACKA GE_V1_0
Workstation Name: BXXXXX (my server's name)
Caller User Name: BXXXXX$
Caller Domain: AXXXXX (my domain)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1812
Transited Services: -
Source Network Address: -
Source Port: -
I don't know much about the authentication process... but what is the significance of 'Logon Process: IIS' ? It seems to me that they're just trying to login into the server itself... like somebody would remotely log in to a server. Does this mean they're logging in to IIS itself? I'm confused.... Also, any advice on dealing with these attacks, or finding out useful information (like finding the ip address that its coming from) would be greatly appreciated.
Comment