Hi, we are having a lot (thousands) of failed logon attempts daily from 6 or 7 ip addresses like 89.248.167.x or 58.247.6.x etc.
Most of the source IPs appear to originate in China or Amsterdam and we are in north america. The usernames tried and failed today are (these are not in our AD):
Administrator
Guest
RALLogon
RDSSupport
T1
administrator
aloha
bms
brink
brinkpos
celerant
celerant01
celerant1
ecwsupport
eeepciuser
eeeposuser
eeeuser
ibs
ics
kayne120
ken
kipm
mbm
mbm2
polling
pos
pos22
post1
post2
qubica
rbms
rds
rdspos
shlomo
sysdba
Example system log (items in<> I have changed to protect potentially sensitive information):
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-<changed>}
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2016-01-20T03:36:06.246855200Z
EventRecordID 1154657
Correlation
- Execution
[ ProcessID] 580
[ ThreadID] 4440
Channel Security
Computer <correct local address is entered here ie "computer1.domainname.local">
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-0-0
TargetUserName celerant
TargetDomainName
Status 0xc000006d
FailureReason %%2313
SubStatus 0xc0000064
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName \\89.248.167.140
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress 89.248.167.140
IpPort 57182
Can anyone shed light on this and assist preventing please?
Thanks!