There's this domain controller for a company, part of a higher up corporate VPN shared between all of their subsidiaries.

A UK company, with subs in USA, UK, and China. In their IT genius, they wanted everyone on the same network (shared with China!), with the same single server for all three zones NAV.

So there are two core servers. One, local in the USA--a domain controller. One in the UK--I think a top domain controller.

Thing is, this local server is running Windows Server 2003 (yay, exploits!). In the Event Log -> Security, there are hundreds (or thousands!) of failed security audits of "someone" trying to get into the box. They're trying various users (some on our network, some wildcard ones like "library" and "mail", and some aren't even our users). They don't have the passwords... or even if they did, those users aren't allowed to login to the server remotely (I think). The logins occur almost always 5 seconds apart and the audit log is full and rotated so I can't tell past the 23rd how long this attack has been running. They try with our domain name, and with a blank domain, every other attempt.

Problem is, the logon attempts have no IP addresses and ports. There was one that did, but it's from a different subnet. It didn't respond to ping, but I'm going to try a port scan tomorrow.

Thing is, how do I find out what's going on? I thought about disabling RDP completely, but a friend mentioned that if someone is running an attack they'll know that we know they're trying to get in and might try changing their attack.

I'm going to try Wireshark, but this server is pretty taxed to the limit (3 GB of RAM, 200 GB HDD almost full), so I might try throwing a hub inbetween the server and use it as a monitor port for an external computer to capture.

Ahaha... ha ...

I looked further into it. It looks like it's the mail server getting attacked, not remote desktop logins. And remote desktops restricted to administrators group. So thinks aren't as bad as I first thought.

However, this is a Windows 2003 box. XP. You can't even hit Windows Key + Left/Right Arrow to move windows around. So there's no telling how many live, unpatched exploits in the wild that can own this thing.

Meanwhile, I'm stuck diagnosing this strange problem. Exchange e-mails don't get delivered to two salesmen with iPhones in the field. It happened around the same time for both of them. But everyone else's iPhones (using the cell network!) are fine. I looked at their mailbox settings and they're identical. The active directory users are identical. They can also access their boxes from their LAPTOPS when they get home/to the hotel.

The only thing I've got left is:

- iOS update to their specific models trashed them,
- Their inboxes are huge because they're sales people and are hitting some quota.
- 3rd party software or virus
- The Level-3 is their primary backhaul carrier for the area they're in and because Level-3 is having a HUGE outage this week maybe mail isn't being properly routed yet.