Re: Security log errors 529, store.exe
- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
- Date: Tue, 06 Nov 2007 16:42:19 -0800
"These attempts were effectively stopped after we disabled all authentication to the SMTP virtual service except Anonymous access (for those who legitimately submits their mail in"
Exactly what did you change there? Not sure i understand the setting you changed?
www.exchangedefender.com
Put a mail filtering in front of the server, close port 25 to only respond to the servers www.exchangedefender.com forwards from.
Unless that pop3 is ssl based pop3, you are transfering that username/password over clear text.
If you have ports, people will bang on them.
You said it yourself... you have all the email ports open. They are knocking. They want to guess/see if you have a sucky password.
As far as the IP you'll need to track this back through to your firewall logs.
Alex Persky wrote:
Hi.
We're periodically having series of errors 529 in the security log on a Windows 2003 SBS. Usually they come like 2-10-40 logon attempts within 2-3 minutes, never on weekend, which suggests someone's periodically trying to hack in, every couple of days.
Here's a sample event
Event ID: 529
Computer: SERVER
Category: logon/logoff
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: (a proper SBS's domain name here)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4180
Transited Services: -
Source Network Address: -
Source Port: -
The PID belongs to store.exe (= Exchange).
We used to experience similar series of 529 errors before with caller process inetinfo.exe which we figured out were related to someone trying authenticate to our SMTP with usernames like webmaster, info, guest, administrator. These attempts were effectively stopped after we disabled all authentication to the SMTP virtual service except Anonymous access (for those who legitimately submits their mail in).
But this time we're getting similar logon failures logged by store.exe! The only services published (i.e. accessible from outside) are IMAP, SMTP and POP3, and also OWA (Outlook web access) and the website. I've found nothing relevant in SMTP and web logs. POP3 unsuccessfull logons don't generate such events.
The question is: how they're doing this? what kind of hole in our system could possibly exist?
And finally we would like to find an IP address of whoever is doing this.
Please don't suggest:
1. restart the server -- we restart it regularly
2. boot it into the safe mode -- we can't afford any interruptions to the work of the system, too much depends on it
3. change the administrator password to a better one, introduce policies to force the users to change them regularly -- we already have very good and very long passwords.
Thank you
Alex
- Follow-Ups:
- Re: Security log errors 529, store.exe
- From: Alex Persky
- Re: Security log errors 529, store.exe
- References:
- RE: Security log errors 529, store.exe
- From: Alex Persky
- RE: Security log errors 529, store.exe
- Prev by Date: User change password (command line)
- Next by Date: Re: is it safe to uninstall wsus 3.0
- Previous by thread: RE: Security log errors 529, store.exe
- Next by thread: Re: Security log errors 529, store.exe
- Index(es):
Relevant Pages
|
Loading
