none
Win Server 2008 R2 & security (log) question RRS feed

  • Question

  • Hi there,

     

    I am running a MS 2008 R2 Server (64bit) behind a hardware firewall and a security gateway without forwarding any ports to that server. The only thing running on it is a MS SQL 2008 Server.

    Both, SQL and operating systems are on the latest patchlevel.

     

    Well the problem now is, that there are some strange events in the security log of the Win 2008 server, which I find really strange:

    It starts with an

    event ID 4776 (I had to translate from german to english, so if anything is not 100% correct, please forgive me ;-) ):

    "Authenticationpackage:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"

     

    and then in the same second:

    event ID 4625:

    Error: unknown user or valid password

    account name: administrator

    login type: 10

    Calling Processname: C:\Windows\System32\winlogon.exe

    Source network adress:  123.131.*.*

    Source port:        62400

    Login process: User32

    Authenticationpackage:    Negotiate

     

     

    Well, port and IP adress are changing (with IPs from China, Croatia, France, Greece and Germany so far).

    If this would have been logged on our firewall, it wouldn't really concern me, but as it is within our network already, I am quite concerned about what's happening.

     

    Our antivirus software is up to date and didn't find anything. MY best guess is that maybe our VPN software (checkpoint) has some serious security vulnerabilities or any other software along the way.

     

    Is anybody out there who is able to give me some more information about these events? I am not sure how to avoid it... the unsuccesful logins are occuring the past 2 days and nights already, sometimes every minute, sometimes with some hours break between...

     

    Any help would be highly appreciated!

    Thursday, July 22, 2010 12:18 PM