OK, I have a couple of servers in my home lab. I suppose it has a lot to do with the fact that I work with ConfigMgr and other server tools.
Additionally, I like using Remote Desktop to connect and manage my machines, I suppose it has something to do with the fact that I once work as a Developer on the Terminal Services Client Team.
And yes, I have a couple of ports open to the Internet. <I am now reconsidering this :^( >
Hack
Anyways, I was looking today at the performance on one of my machines, and noticed one of the remote desktop server processes was being accesses by someone in Germany. Germany?!!? What???
Something running on FastWebServer.de and Your-Server.de.
The network traffic was slow, not as fast as my active Remote Desktop session. What could it be? After some thought, I figured it could be someone attempting to log in using different credentials. Perhaps using a bot to try various credentials. Um… OK
PowerShell
PowerShell to the rescue.
I used the get-eventlog cmdlet to search for the right log (Security) and event entry (4625).
get-eventlog -log Security -InstanceId 4625 | Measure-Object
981 entries!! Youza!
Further analysis shows that entry #6 of the ReplacementStrings property shows the account that was used to logon. A frequency analysis should be in order:
PS E:\> get-eventlog Security -InstanceId 4625 |
%{$_.ReplacementStrings[5]} | group |
sort Count -Descending | select -first 10 Count,Name
Count Name
----- ----
152 ADMINISTRATOR
150 SUPPORT
150 TEST
150 ADMIN
150 DEMO
150 ROOT
7 EDDIE
7 SQLADMIN
7 CAFE
7 BILL
The names appear to be random, nothing specific to me, needless to say I have disabled the local administrator account, and begun other security measures.
But I thought the powershell was fun! :).
Keith's Consulting Blog 