192.168.1.125 (FTP server, in-house - "domestic and global bonseop sseuim for up

1. 192.168.1.125 (FTP server, in-house - "domestic and global bonseop sseuim for updates)
2.  
3.  
4.  
5. Today in the remote access server, after seeing the 125 computers inside 192.168.1.124, 192.168.1.121 remote connected floated on the screen.
6.  
7. Leave their computers inside gutyi seobeotim step 125 to another server, if remote access was considered very rare,
8.  
9. Start - "Run from the menu of recently used commands I tried.
10.  
11.  
12.  
13. During the following command on the remote access was attempted.
14.  
15.  
16.  
17. Mstsc / v Nikkiluv
18.  
19. Mstsc / v Newcosmo (124)
20.  
21. Mstsc
22.  
23. \ \ nikkiluv
24.  
25. Mstsc / v kaloffice
26.  
27.  
28.  
29. Mstsc / v 121.189.63.190
30.  
31. (IDC lek configuration not only written documents, but the back seat of an internal IP internal IP and I think the mail server.)
32.  
33.  
34.  
35. Mstsc / v Kal-comm (121)
36.  
37. Mstsc / v Fkz3c33c9ueodxa
38.  
39.  
40.  
41. Management tool - "a very unusual event viewer event ID: 528 while the remaining ones were the following ones.
42.  
43.  
44.  
45. 2009-10-26 03:39:25, (Monday morning)
46.  
47. Successful Logon:
48.  
49. User Name: kal
50.  
51. Domain: COSMO
52.  
53. Logon ID: (0x0, 0x16571DFF)
54.  
55. Logon Type: 10
56.  
57. Logon Process: User32
58.  
59. Authentication Package: Negotiate
60.  
61. Workstation Name: COSMO
62.  
63. Logon GUID: --
64.  
65. Caller User Name: COSMO $
66.  
67. Caller Domain: WORKGROUP
68.  
69. Caller Logon ID: (0x0, 0x3E7)
70.  
71. Caller Process ID: 3380
72.  
73. Transited Services: --
74.  
75. Source Network Address: 206.217.202.226
76.  
77. Source Port: 2799
78.  
79.  
80.  
81.  
82.  
83. For more information on Help and Support Center at http://go.microsoft.com/fwlink/events.asp see.
84.  
85. 2009-10-24 09:34:54 (Saturday)
86.  
87. Successful Logon:
88.  
89. User Name: kal
90.  
91. Domain: COSMO
92.  
93. Logon ID: (0x0, 0x15792451)
94.  
95. Logon Type: 10
96.  
97. Logon Process: User32
98.  
99. Authentication Package: Negotiate
100.  
101. Workstation Name: COSMO
102.  
103. Logon GUID: --
104.  
105. Caller User Name: COSMO $
106.  
107. Caller Domain: WORKGROUP
108.  
109. Caller Logon ID: (0x0, 0x3E7)
110.  
111. Caller Process ID: 2612
112.  
113. Transited Services: --
114.  
115. Source Network Address: 206.217.202.226
116.  
117. Source Port: 2815
118.  
119.  
120.  
121.  
122.  
123. For more information on Help and Support Center at http://go.microsoft.com/fwlink/events.asp see.
124.  
125. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows% 20Operating% 20System & ProdVer = 5.0 & EvtID = 528 & EvtSrc = Security & LCID = 1033
126.  
127. According to the site 528 times, event ID as the login is successful, when the leaves are listed. Intentionally to test the connection I have been erroneously password
128.  
129. Event ID is the wrong password when you stay 529 times, 528 times, when successful, to go.
130.  
131.  
132.  
133. So anyone successfully logged in, broken 528 times, I think the rest of the event came from a foreign IP .. Outsiders are suspect approached.
134.  
135.  
136.  
137.  
138.  
139.  
140.  
141.  
142.  
143. * 1 line summary: 125 times the computer in the Event Viewer event ID 528 was to step out of the rest in foreign IP that is suspected.