Solved

Logon Process Name: \inetinfo.exe

Posted on 2003-11-20
7
2,683 Views
Last Modified: 2010-09-01
I have a bunch of strange stuff in my security log on my exchange server and
think someone may have been trying to break into my server.  The server is
Windows 2000 SP3 with all available updates.

In my log I have this:

A trusted logon process has registered with the Local Security Authority. This
logon process will be trusted to submit logon requests.
 
 Logon Process Name:    \inetinfo.exe


Followed by a lots of failed login attempts for users that do not exist on my
network like Administrator, root, test, admin, abc, master, webmaster, web,
www, backup, server and a bunch of others.  Several hundred failures in all
maybe 50 or so per id.  All the failed messages read like this:

Logon Failure:
        Reason:         Unknown user name or bad password
        User Name:      backup
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi  
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       <my servername>

This server is behind my firewall but my firewall does have NAT entries to is
for mail and web because it is my exchange server and my IIS server.  The only
pages I serve up for IIS is webmail for exchange.

Have I missed something else to lock down that allowed this to happen or is
this regular stuff when I have an IIS server open to the internet?

0
Comment
Question by:GoldbergLindsay
7 Comments
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788497
If you have IIS FTP services running, I'd be concerned. Hackers take advantage of this product quite often. Quickest check to see if they had success is to see if you are low on diskspace. If so, your box is now a "warez" server. Though, with all the failures, I suspect they have yet to succeeed in compromising the box.

Now for access to your box thru the firewall, what ports are you allowing. Should only be allowing SMTP and maybe 80 for OWA web traffic. DEFINATELY not any FTP ports (usually 20,21) unless you feel really good about your IIS security.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788588
More random info of possible value:

"Logon Type" will be one of the following:

0 N/A
1 N/A
2 Interactive
3 Network
4 Batch
5 Service
6 Proxy
7 Unlock Workstation
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788628
In the end, at the least, busting out a sniffer may be appropriate.

Here is an example of a vius that could act in a similiar fashion, not necessarily your issue though... just an example.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_WOMANIZ.C&VSect=T

0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 26

Accepted Solution

by:
Vahik earned 250 total points
ID: 9788694
As long as u have a public address folks (nice folks)  will always try to
make trouble for u.So make sure u have the latest spyware and addware and antiviruse softwares are running on ur servers.Try to diable ftp and also run iislockdown tool from microsoft(That is problem in itself).They will always keep trying just make sure they dont succeed.One of the best ways without any fancy footwork is to enable complex password policy on ur network.
0
 

Author Comment

by:GoldbergLindsay
ID: 9789323
I do not have FTP service running on the server.

FTP should not be allowed through the firewall but I am not positive.  I have the running config from my firewall.  what should or should not be stated for FTP?
0
 
LVL 8

Expert Comment

by:Icetoad
ID: 9801692
Your assumption is correct.   Best option is to log all traffic to your server on port 80, and 25 using ethereal.  You should be able to pull out the IP address of the offender, once you have a nice long log, just go on ARIN, find out his local ISP's phone number, contact them, send them the logs.. sit back and watch them cancel the little script kiddies account or atleast his stolen account.
0
 

Expert Comment

by:jack3141
ID: 10055994
Last week I experienced the same symptoms on my NT 4.0 SP 6a Exchange 5.5 server.  The failed logins similarly attempted authentication for administrator, root, test, admin, abc, master, webmaster, web, www, backup, etc user accounts.  However, the Login Process Name in my case was: \msexcinc.exe (the Exchange Internet Connector).

The login attempts occurred at a regular 5 second intervals, so I suspect an automated external attack mechanism, such as a worm, on TCP ports 80 or 25 which are open through our firewall.  I have no detailed traffic logs to confirm this.  But my application event log indicates that the malicious behavior originated from 219.153.150.109.

At this time, my investigate is focusing on what would cause a trusted (SMTP) process to register with the LSA, as well as attempting to replicate this event.  I will be glad to share my findings.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now