Re: Yikes! Is this a security issue I need to worry about?

Tech-Archive recommends: Fix windows errors by optimizing your registry

I looked into similar events on a client's system this morning. I think the break-in attempt is trying to authenticate during an SMTP connection, looking for a valid username/password. The user names tried were things like admin, root, test, info, sales, guest, etc. Enabling SMTP logging should verify the details. I just enabled the logging this morning, so I don't yet have proof this is the source, but I found a number of similar reports when searching. Those reports indicated that ADVAPI is the logon process used to validate smtp authentication requests.

"tcv" <thecomputervalet@xxxxxxxxx> wrote in message news:97bb4817-e0bd-490b-919b-4bbf0842afc8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Apr 19, 7:40 pm, Susan Bradley <sbrad...@xxxxxxxxxxx> wrote:
Bill Sanderson wrote:
> I don't have a lot of depth in this stuff, but here's what I'm reading:

> Logon type 3 is a logon across a network.

> Advapi indicates a logon handled though IIS.

> So--IIS is active on this box?

> Is the IP dynamic, or fixed?

> "tcv" <thecomputerva...@xxxxxxxxxxx> wrote in message
>news:Xns9A856049E1EA5thecomputervaletgeem@xxxxxxxxxxxxxxxx
>> I found this occurring 60+ times last night. The server is publicly
>> accessable through LogMeIn. It also is behind a SonicWall that has VPN
>> setup with Radius Authentication.

>> Reason: Unknown user name or bad password
>> User Name: !@#$
>> Domain:
>> Logon Type: 3
>> Logon Process: Advapi
>> Authentication Package: Negotiate
>> Workstation Name: SERVER
>> Caller User Name: SERVER$
>> Caller Domain: [REDACTED]
>> Caller Logon ID: (0x0,0x3E7)
>> Caller Process ID: 1508
>> Transited Services: -
>> Source Network Address: -
>> Source Port: -

>> Cheers,

>> m

It's an SBS box... of course IIS is working :-)

What ports do you have open? If 25 it's just someone banging on the port.

Yes, 25 is open. Why would it say advapi and not, say, SMTP?

I also misstated the original attempts. It was 160+

.

Relevant Pages

  • Re: Logon 529 Errors
    ... Authentication in SMTP virtual server. ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange, Event 537, and Access Denied, Oh my
    ... an error occurred during logon ... caller user name: - ... fails (which is what started me investigating this server in the first ... the authentication between the pda and iis occurs fine, ...
    (microsoft.public.windows.server.sbs)
  • Exchange, Event 537, and Access Denied, Oh my
    ... an error occurred during logon ... caller user name: - ... fails (which is what started me investigating this server in the first ... the authentication between the pda and iis occurs fine, ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange, Event 537, and Access Denied, Oh my
    ... There are a number of kb articles linked to the error there, allthough I don't see any exact matches other than the error code, indicating the that means "STATUS_LOGON_FAILURE", the attempted logon is invalid. ... (bad username or authentication) ... caller user name: - ... fails (which is what started me investigating this server in the first ...
    (microsoft.public.windows.server.sbs)
  • Re: Failed login attempts showing in the security log
    ... You can find more if you review your SMTP logs. ... The server is fully ... Logon Failure: ... Caller User Name: SERVER$ ...
    (microsoft.public.backoffice.smallbiz)