I have a bunch of strange stuff in my security log on my exchange server and
think someone may have been trying to break into my server. The server is
Windows 2000 SP3 with all available updates.
In my log I have this:
A trusted logon process has registered with the Local Security Authority. This
logon process will be trusted to submit logon requests.
Logon Process Name: \inetinfo.exe
Followed by a lots of failed login attempts for users that do not exist on my
network like Administrator, root, test, admin, abc, master, webmaster, web,
www, backup, server and a bunch of others. Several hundred failures in all
maybe 50 or so per id. All the failed messages read like this:
Reason: Unknown user name or bad password
User Name: backup
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <my servername>
This server is behind my firewall but my firewall does have NAT entries to is
for mail and web because it is my exchange server and my IIS server. The only
pages I serve up for IIS is webmail for exchange.
Have I missed something else to lock down that allowed this to happen or is
this regular stuff when I have an IIS server open to the internet?