RE: unkown attacker at NT server 4.0

[Steve Krause]

You should never have Ports 137,138,139 enabled on the outside of your firewall.   Technet Article  [Q174073] will define the various logon types.   Logon Type ----------   "Logon Type" will be one of the following:   2 Interactive 3 Network 4 Batch 5 Service 6 Proxy 7 Unlock Workstation (0 & 1 are invalid)     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 18, 2001 8:34 PM To: [EMAIL PROTECTED] Subject: unkown attacker at NT server 4.0 Hi. Everyone.   Nowadays unkown user access my NT server. NT server's name is NT_DD and it's version is 4.0 . That is security log.    [ Jan 16  12:22 ]   Logon Failure:   cause:  unknown user or icorrect passwd   user name: PC19   domain:  SANY   logon type: 3   logon process: KSecDD   authentican package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0   workstaion name: \\PC19     [ Jan 18 4:22 ]   Logon Failure:   cause:  unknown user or icorrect passwd   user name: Administrator   domain:  NT_DD   logon type: 7   logon process: User32     authentication package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0   workstation name: NT_DD   [question 1] How can I know the IP of the attacker only with workstaion name or domain ?   [question2] What is the difference between  KsecDD and User32 in logon process?   [question3] What is logon type 3 and 7?   [question4] I think that I can defend the attack by not routing port 137,138,139 udp(tcp) from outside. Is it right?   Have a nice day!!