|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
|
Someone is trying to hack our server via SMTPSVC. When I view the event log
(system) I see Event ID 100 SMTPSVC and a login attempt. However, when I try to match the Event log time with the SMTPSVC log time nothing matches. I want to block the IP Address of this potential intruder. How do I find the IP Address of this potential intruder? SMTPSVC extended property logs are turned on with client ip, date and time, server ip and server port and also user name. Default SMTP virtual server No relay (only the list below) "There is no list" Basic and Windows Security package are checked for Authentication Thanks in advance. On Fri, 25 Mar 2005 13:45:05 -0800, "razornt"
<razo***@discussions.microsoft.com> wrote: >Someone is trying to hack our server via SMTPSVC. When I view the event log Are you accounting for the offset from GMT? The SMTP logs are in GMT,>(system) I see Event ID 100 SMTPSVC and a login attempt. However, when I try >to match the Event log time with the SMTPSVC log time nothing matches. Event logs are usually in local time. Jeff Show quoteHide quote > I want >to block the IP Address of this potential intruder. How do I find the IP >Address of this potential intruder? > >SMTPSVC extended property logs are turned on with client ip, date and time, >server ip and server port and also user name. > >Default SMTP virtual server >No relay (only the list below) "There is no list" >Basic and Windows Security package are checked for Authentication > >Thanks in advance. Thanks Jeff. That makes sense. I check into right away.
Show quoteHide quote "Jeff Cochran" wrote: > On Fri, 25 Mar 2005 13:45:05 -0800, "razornt" > <razo***@discussions.microsoft.com> wrote: > > >Someone is trying to hack our server via SMTPSVC. When I view the event log > >(system) I see Event ID 100 SMTPSVC and a login attempt. However, when I try > >to match the Event log time with the SMTPSVC log time nothing matches. > > Are you accounting for the offset from GMT? The SMTP logs are in GMT, > Event logs are usually in local time. > > Jeff > > > > I want > >to block the IP Address of this potential intruder. How do I find the IP > >Address of this potential intruder? > > > >SMTPSVC extended property logs are turned on with client ip, date and time, > >server ip and server port and also user name. > > > >Default SMTP virtual server > >No relay (only the list below) "There is no list" > >Basic and Windows Security package are checked for Authentication > > > >Thanks in advance. > > razornt wrote:
> Someone is trying to hack our server via SMTPSVC. When I view the As long as your permissions are set up OK you don't really have to worry. > event log (system) I see Event ID 100 SMTPSVC and a login attempt. > However, when I try to match the Event log time with the SMTPSVC log > time nothing matches. I want to block the IP Address of this > potential intruder. How do I find the IP Address of this potential > intruder? Spammers are usually scanning for open relays and relays with simple authentication (e.g. username 'user', password 'password') to send spam through. If they don't succeed quickly they'll just try another server. SMTP logs on any platform are always full of hack attempts. 
Other interesting topics
401.1 After IIS6 Setup
AES 256-bit Certificate multiple SSL sites on single IP/port Adobd errors Permission denied IIS6 OWA Exploit IIS Security Risks & Vulnerabilities Integrated Windows Authentication Error, Re: IIS metabase permissions when creating new VirDir's Front Page Server Extensions: Change Port? Block sites linking to my site |
|||||||||||||||||||||||
