Two problems really in this post, the second is critical.
1. Every hour, something tries to login using the Administrator account. I've tracked it down to be a file server on our LAN called serverA.
Security log details
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/06/2008
Time: 21:26:12
User: NT AUTHORITY\SYSTEM
Computer: ServerX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SKINNER
Caller User Name: SKINNER$
Caller Domain: THAP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4428
Transited Services: -
Source Network Address: -
Source Port: -
From the SMTP log below the server starts a conversation then quits. The Caller process is inetinfo.exe
The server in question is a very simple 2k3 file server, has almost no services running on it appart from the basics, no local user accounts and i've run a full virus check and spyware check too although there is no software installed on it appart from the UPS & antivirus. It also has no ports open through the firewall.
2.Much more worrying, looking at the logs last night somebody has been tryng every password possible against the Exchange server.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/06/2008
Time: 23:40:28
User: NT AUTHORITY\SYSTEM
Computer: ServerX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: sales
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SKINNER
Caller User Name: SKINNER$
Caller Domain: THAP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4428
Transited Services: -
Source Network Address: -
Source Port: -
The Exchange server has ports 25, 80 and 443 open. How are they connecting to it to attempt to hack the passwords, OWA??
The attack seems to be comming from 72.166.142.50 which traces back to a broadband supplier so I assume its a virus / bot infested zombie.
Is there anything I can do to stop this happening as it results in the Administrator account being locked out and I'd really not like to get hacked.
Screen shots below.
P.S this isn't my day job. I'm a developer but there are only 5 of us here so we all have to multi task.
1. Every hour, something tries to login using the Administrator account. I've tracked it down to be a file server on our LAN called serverA.
Security log details
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/06/2008
Time: 21:26:12
User: NT AUTHORITY\SYSTEM
Computer: ServerX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SKINNER
Caller User Name: SKINNER$
Caller Domain: THAP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4428
Transited Services: -
Source Network Address: -
Source Port: -
From the SMTP log below the server starts a conversation then quits. The Caller process is inetinfo.exe
The server in question is a very simple 2k3 file server, has almost no services running on it appart from the basics, no local user accounts and i've run a full virus check and spyware check too although there is no software installed on it appart from the UPS & antivirus. It also has no ports open through the firewall.
2.Much more worrying, looking at the logs last night somebody has been tryng every password possible against the Exchange server.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/06/2008
Time: 23:40:28
User: NT AUTHORITY\SYSTEM
Computer: ServerX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: sales
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SKINNER
Caller User Name: SKINNER$
Caller Domain: THAP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4428
Transited Services: -
Source Network Address: -
Source Port: -
The Exchange server has ports 25, 80 and 443 open. How are they connecting to it to attempt to hack the passwords, OWA??
The attack seems to be comming from 72.166.142.50 which traces back to a broadband supplier so I assume its a virus / bot infested zombie.
Is there anything I can do to stop this happening as it results in the Administrator account being locked out and I'd really not like to get hacked.
Screen shots below.
P.S this isn't my day job. I'm a developer but there are only 5 of us here so we all have to multi task.
