[cactuscrust]

I'm running IIS6 Windows2003, and as you'll see very quickly.. I'm pretty new to this stuff.
Lately I've been getting bombarded with login attempts.... sometimes several in the same second, and it can last for hours. The event viewer shows the following information for the failed login:

Logon Failure:
Reason: Unknown user name or bad password
User Name: Admin
Domain: AXXXXX
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: BXXXXX (my server's name)
Caller User Name: BXXXXX$
Caller Domain: AXXXXX (my domain)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1812
Transited Services: -
Source Network Address: -
Source Port: -

I don't know much about the authentication process... but what is the significance of 'Logon Process: IIS' ? It seems to me that they're just trying to login into the server itself... like somebody would remotely log in to a server. Does this mean they're logging in to IIS itself? I'm confused.... Also, any advice on dealing with these attacks, or finding out useful information (like finding the ip address that its coming from) would be greatly appreciated.

[kenobewan]

Either they are programmatically trying to crack your admin account or bring your server down.

Don't have an admin account available through your application, operate on least privilege and capture data about them - IP etc. Lock accounts after three attempts. With IP you can also capture limit the number of requests from them and redirect them each time after that, for a certain time period if you wish. You may also want to check out your throttling and buffering methods.

IIS is involved whenever a web application is accessed, prior to the request reaching the application.