Logon Process Name: \inetinfo.exe

I have a bunch of strange stuff in my security log on my exchange server and
think someone may have been trying to break into my server.  The server is
Windows 2000 SP3 with all available updates.

In my log I have this:

A trusted logon process has registered with the Local Security Authority. This
logon process will be trusted to submit logon requests.
 
 Logon Process Name:    \inetinfo.exe


Followed by a lots of failed login attempts for users that do not exist on my
network like Administrator, root, test, admin, abc, master, webmaster, web,
www, backup, server and a bunch of others.  Several hundred failures in all
maybe 50 or so per id.  All the failed messages read like this:

Logon Failure:
        Reason:         Unknown user name or bad password
        User Name:      backup
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi  
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       <my servername>

This server is behind my firewall but my firewall does have NAT entries to is
for mail and web because it is my exchange server and my IIS server.  The only
pages I serve up for IIS is webmail for exchange.

Have I missed something else to lock down that allowed this to happen or is
this regular stuff when I have an IIS server open to the internet?

GoldbergLindsayAsked:
Who is Participating?
 
VahikCommented:
As long as u have a public address folks (nice folks)  will always try to
make trouble for u.So make sure u have the latest spyware and addware and antiviruse softwares are running on ur servers.Try to diable ftp and also run iislockdown tool from microsoft(That is problem in itself).They will always keep trying just make sure they dont succeed.One of the best ways without any fancy footwork is to enable complex password policy on ur network.
0
 
JasonBighamCommented:
If you have IIS FTP services running, I'd be concerned. Hackers take advantage of this product quite often. Quickest check to see if they had success is to see if you are low on diskspace. If so, your box is now a "warez" server. Though, with all the failures, I suspect they have yet to succeeed in compromising the box.

Now for access to your box thru the firewall, what ports are you allowing. Should only be allowing SMTP and maybe 80 for OWA web traffic. DEFINATELY not any FTP ports (usually 20,21) unless you feel really good about your IIS security.
0
 
JasonBighamCommented:
More random info of possible value:

"Logon Type" will be one of the following:

0 N/A
1 N/A
2 Interactive
3 Network
4 Batch
5 Service
6 Proxy
7 Unlock Workstation
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
JasonBighamCommented:
In the end, at the least, busting out a sniffer may be appropriate.

Here is an example of a vius that could act in a similiar fashion, not necessarily your issue though... just an example.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_WOMANIZ.C&VSect=T

0
 
GoldbergLindsayAuthor Commented:
I do not have FTP service running on the server.

FTP should not be allowed through the firewall but I am not positive.  I have the running config from my firewall.  what should or should not be stated for FTP?
0
 
BrentDevOpsCommented:
Your assumption is correct.   Best option is to log all traffic to your server on port 80, and 25 using ethereal.  You should be able to pull out the IP address of the offender, once you have a nice long log, just go on ARIN, find out his local ISP's phone number, contact them, send them the logs.. sit back and watch them cancel the little script kiddies account or atleast his stolen account.
0
 
jack3141Commented:
Last week I experienced the same symptoms on my NT 4.0 SP 6a Exchange 5.5 server.  The failed logins similarly attempted authentication for administrator, root, test, admin, abc, master, webmaster, web, www, backup, etc user accounts.  However, the Login Process Name in my case was: \msexcinc.exe (the Exchange Internet Connector).

The login attempts occurred at a regular 5 second intervals, so I suspect an automated external attack mechanism, such as a worm, on TCP ports 80 or 25 which are open through our firewall.  I have no detailed traffic logs to confirm this.  But my application event log indicates that the malicious behavior originated from 219.153.150.109.

At this time, my investigate is focusing on what would cause a trusted (SMTP) process to register with the LSA, as well as attempting to replicate this event.  I will be glad to share my findings.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.