Hi guys, I originally noticed logon attemps 10 from all around the world to my server, then changed the port number for RDP in my router and SBS2003. I also changed the name of my domain administrator but 10 minutes later the hacker knew what the name of my new administrator was and two other users within my AD. The logon attemps are now happening within the network, from my personal laptop and logon type 3. My laptop seems to be clear from viruses, firewall installed, updates, antispyware, etc. I would like to know how to go deep in this situation and stop this logon attemps once and for all. Any help would be much appreciated. Katherine

Do not put RDP on public network, so basically do not create NAT to point to RDP on your server. Logon Type 3 mean network Logon, usually it means accessing shares and printers. So the event does not mean that your computer was hacked, it means that you access shares / printers from your computer. Example below (accessing shared folder from notebook): An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: PROJECTENVISION\MBOOK$ Account Name: MBOOK$ Account Domain: PROJECTENVISION Logon ID: 0x1ee4c85 Logon GUID: {6a142534-cf9d-a851-5ac8-5b4fb648397c} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: 192.168.0.109 Source Port: 23654 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. With kind regards Krystian Zieja http://www.projectnenvision.com Follow me on twitter My Blog

Hi Krystian, many thanks for your prompt reply, much appreciated! Katherine

On Fri, 11 Feb 2011 11:52:32 +0000, 54789katherine wrote: >I also changed the name of my domain administrator but 10 minutes later the hacker knew what the name of my new administrator was and two other users within my AD. Changing the name of an account doesn't change it's SID or it's GUID. Knowing either one of those makes it trivial to discover the name on the account. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi I quite agree with Krystian. The log doesn’t my computer is hacked. Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS.