Is it an SBS server? RWW may be listening on 80.
From: [email protected] [mailto:[email protected]] On Behalf Of J- P Sent: Tuesday, April 7, 2015 9:55 AM To: NT Subject: RE: [NTSysADM] Remote logon attempts 4625 it is not , as I rdp to it (3389) from inside the LAN on a regular basis ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Remote logon attempts 4625 Date: Tue, 7 Apr 2015 16:40:06 +0000 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp Check to see if it is set to answer on 80 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of J- P Sent: Tuesday, April 7, 2015 12:37 PM To: NT Subject: [NTSysADM] Remote logon attempts 4625 Hi all, Have an internet facing time-clock server , the network firewall has port 80 ONLY forwarding to the server, i'm starting to see hundreds of event 4625's coming from global IP addresses (China, Malaysia, russia etc,,) If the firewall only has port 80 forwarded, how are they attempting RDP (Logon Type 10) here is one such example; An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVER_Name$ Account Domain: DOMAIN_ NAME Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: administrator Account Domain: SERVER_Name Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x1424 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: SERVER_Name Source Network Address: 60.52.25.18 (Malaysia IP ) Source Port: 4750 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 Jean-Paul Natola
