Re: Login Errors Seem to indicate we are being hacked?

Teneo,
Thanks, i have turned off the one I turned on previously and have now
switched on the version you mentioned.

I selected "Date" "Time" "Client IP Address", "User Name" "server Name"
"Server IP Address" "Server Port" "Host" and "Referrer" as the logging
options.

I also left it on the "W3C Extended Log File Format" as this was default,
presumably this is a plain text format, or should I pick a different option?

As you can probably tell I have never done this before!

Siv
--
Martley, Near Worcester, UK


"Teneo" wrote:

Sorry Siv, maybe I should have been a bit more specific.

What you have done would only report on your Exchange diagnostics. You need
to switch on logging for SMTP at the 'Default SMTP Virtual Server' ( under
protocols in ESM )

This will create logs in C:\windows\system32\logfiles\smtpsvc1

When you check logging you can then click properties and advanced to detail
what you would like recorded.

Sending is default via port 25, not advisable to change but if you wished to
review :-

http://www.google.co.uk/search?hl=en&q=port+exchange+smarthost&meta=




"Siv" <Siv@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:68FCF523-350A-4CFF-A0D0-8D790C2267F0@xxxxxxxxxxxxxxxx
Teneo,
I have turned on diagnostic logging on SMTP.

Just to be sure I have understood you I right clicked the Server name in
Exchange System manager and selected "properties" then selected the
"Diagnostic logging" tab, then clicked "MSExchangeTransport", then in the
right hand pane, selected SMTP Protocol and set the logging level to
"Medium"
using the radio buttons along the bottom of the dialog and clicked "OK" to
finish.

I assume the logging will appear in the "Application Log"? Is the
"Medium"
setting high enough to get the IP Addresses?

On a side issue, we use a smarthost to send outbound email, does this mean
we could turn something off on our own SMTP server to stop the devils from
trying to log into our SMTP server or is that not possible??

Siv
--
Martley, Near Worcester, UK


"Teneo" wrote:

Hi Siv, the key here is MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

This is an attempt on your email / port 25 system, use you as a relay.

Switch on SMTP logging and in the logs you will find the IP to block if
you
wish to investigate.

Hope it helps



"Siv" <Siv@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:60D337F0-493E-443E-88B1-116ADF2BB5D8@xxxxxxxxxxxxxxxx
Hi,
In the logs this morning for one of my clients I have had about 500
failed
logins in teh Security logs. I looked at the Security Event Log and
filtered
for failures and there were hundreds of attempts in very quick
succession
some using the same user name (and presumably different passwords) and
then
loads of different user names one after the other which sounds like a
brute
force attempt to gain access.

We use very strong passwords so I am not worried they will have got in,
but
I would like to ascertain how they were doing it as no IP addresses
were
quoted so they weren't getting in via the net (unless they were somehow
hiding their IP Address). The typical log entry looks like this:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/09/2008
Time: 12:29:41
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: pentium
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER01
Caller User Name: SERVER01$
Caller Domain: MOUNTAINASH
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1692
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

How do you interrogate the above entry into a meaningful explanation of
how
they were logging in. Ie what is a logon type 3 and what do the caller
Login
ID and Process ID tell me??

Any help appreciated.

Siv
--
Martley, Near Worcester, UK






.