Windows Server - Advice on dealing with Attempted Hacks

Asked By Ringo
03-Nov-09 09:18 PM
Hi All,

3 days ago, my SBS server event log filled up with Event ID: 529.
Someone was apparently trying to hack into the server using the
Lockout (EventID: 539).  I checked the logs, blocked the IP address
(located in Spain) at the Sonicwall firewall level, and all is good.

Now, earlier today, same logins were tried again, and once again the
hack attempt eventually generated another Account Lock.  I did the
same procedure as last...blocked the new IP (this time a location in
Belgium), but now I am getting a bit concerned given this is the second
attempt.  Administrator account was already renamed 3 years ago, so
I am not worried about them hacking into a non-existent account.  But
their repeated attempts has me a bit concerned.

I am interested in hearing advice on what to do other than block the
IP address the hacker is coming from.  Any way I can track this loser
down?  Also, what are some protocols and procedures to perform in a
situation like this.

Any advice is greatly appreciated!

Thanks,

Ringo
Windows Server SBS Discussions
 
EventID
(1)
SMTP
(1)
Sonicwall
(1)
Belgium
(1)
Lockout
(1)
Spain
(1)
Hacks
(1)
Meng
(1)
  v-robme replied...
04-Nov-09 06:00 AM
Hello Ringo,

Thanks for your post.

The Event ID 529 is a known event message in SBS server Security log. Yes, you are not the first one who asks this question. Actually as far as I know, many people
encounter same Event 529 issue and have same concerns. FYI, hope the following articles would help:

Strange series of log in failures
http://www.vistax64.com/sbs-server/254264-strange-series-log-failures.html

Security log - Eventid: 529, from SMTP
http://www.winvistatips.com/security-log-eventid-529-smtp-t673781.html

Security Event 529 is logged for local user accounts
http://support.microsoft.com/kb/811082/en-us

Hope this helps.



Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

==================================================================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/community/discussion/richui/default.aspx

Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/community/discussion/richui/default.aspx

If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/archive/2008/11/02/signing-up-for-the-sbs-2008-newsgroups.aspx
==================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
==================================================================
Previous Discussion:  Unable to access IP
Create New Account