Hi all,
Have an internet facing time-clock server , the network firewall has port 80
ONLY forwarding to the server,
i'm starting to see hundreds of event 4625's coming from global IP addresses
(China, Malaysia, russia etc,,)
If the firewall only has port 80 forwarded, how are they attempting RDP (Logon
Type 10)
here is one such example;
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER_Name$
Account Domain: DOMAIN_ NAME
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: administrator
Account Domain: SERVER_Name
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x1424
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SERVER_Name
Source Network Address: 60.52.25.18 (Malaysia IP )
Source Port: 4750
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Jean-Paul Natola
