RE: Security log errors 529, store.exe

---

• From: "Alex Persky" <alexvi@xxxxxxxxxxxxxx>
• Date: Wed, 7 Nov 2007 11:22:29 +1100

---

Hi

We're periodically having series of errors 529 in the security log on a
Windows 2003 SBS. Usually they come like 2-10-40 logon attempts within 2-3
minutes, never on weekend, which suggests someone's periodically trying to
hack in, every couple of days.

Here's a sample event

Event ID: 529
Computer: SERVER
Category: logon/logoff
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: (a proper SBS's domain name here)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4180
Transited Services: -
Source Network Address: -
Source Port: -

The PID belongs to store.exe (= Exchange).

We used to experience similar series of 529 errors before with caller
process inetinfo.exe which we figured out were related to someone trying
authenticate to our SMTP with usernames like webmaster, info, guest,
administrator. These attempts were effectively stopped after we disabled all
authentication to the SMTP virtual service except Anonymous access (for
those who legitimately submits their mail in).

But this time we're getting similar logon failures logged by store.exe! The
only services published (i.e. accessible from outside) are IMAP, SMTP and
POP3, and also OWA (Outlook web access) and the website. I've found nothing
relevant in SMTP and web logs. POP3 unsuccessfull logons don't generate such
events.

The question is: how they're doing this? what kind of hole in our system
could possibly exist?
And finally we would like to find an IP address of whoever is doing this.

Please don't suggest:
1. restart the server -- we restart it regularly
2. boot it into the safe mode -- we can't afford any interruptions to the
work of the system, too much depends on it
3. change the administrator password to a better one, introduce policies to
force the users to change them regularly -- we already have very good and
very long passwords.


Thank you
Alex


.

---

• Follow-Ups:
  • Re: Security log errors 529, store.exe
    • From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

• Prev by Date: Re: How to solve random VPN disconnection issue
• Next by Date: User change password (command line)
• Previous by thread: User change password (command line)
• Next by thread: Re: Security log errors 529, store.exe
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Logon 529 Errors ... Authentication in SMTP virtual server. ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ... (microsoft.public.windows.server.sbs) Re: Event 529 occuring 2500 times every day ... I am receiving this error message in my security log about 2500 ... Logon Failure: ... User Name: HSSSERVER$ ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Event 529 occuring 2500 times every day ... I am receiving this error message in my security log about 2500 ... Logon Failure: ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Event 529 occuring 2500 times every day ... Just to let you know the error message has disappeared 30 days after I ... I am receiving this error message in my security log about 2500 ... Logon Failure: ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Failed login attempts showing in the security log ... You can find more if you review your SMTP logs. ... The server is fully ... Logon Failure: ... Caller User Name: SERVER$ ... (microsoft.public.backoffice.smallbiz)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)