[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Logon Process Name: \inetinfo.exe

Posted on 2003-11-20
7
Medium Priority
?
2,706 Views
Last Modified: 2010-09-01
I have a bunch of strange stuff in my security log on my exchange server and
think someone may have been trying to break into my server.  The server is
Windows 2000 SP3 with all available updates.

In my log I have this:

A trusted logon process has registered with the Local Security Authority. This
logon process will be trusted to submit logon requests.
 
 Logon Process Name:    \inetinfo.exe


Followed by a lots of failed login attempts for users that do not exist on my
network like Administrator, root, test, admin, abc, master, webmaster, web,
www, backup, server and a bunch of others.  Several hundred failures in all
maybe 50 or so per id.  All the failed messages read like this:

Logon Failure:
        Reason:         Unknown user name or bad password
        User Name:      backup
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi  
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       <my servername>

This server is behind my firewall but my firewall does have NAT entries to is
for mail and web because it is my exchange server and my IIS server.  The only
pages I serve up for IIS is webmail for exchange.

Have I missed something else to lock down that allowed this to happen or is
this regular stuff when I have an IIS server open to the internet?

0
Comment
Question by:GoldbergLindsay
7 Comments
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788497
If you have IIS FTP services running, I'd be concerned. Hackers take advantage of this product quite often. Quickest check to see if they had success is to see if you are low on diskspace. If so, your box is now a "warez" server. Though, with all the failures, I suspect they have yet to succeeed in compromising the box.

Now for access to your box thru the firewall, what ports are you allowing. Should only be allowing SMTP and maybe 80 for OWA web traffic. DEFINATELY not any FTP ports (usually 20,21) unless you feel really good about your IIS security.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788588
More random info of possible value:

"Logon Type" will be one of the following:

0 N/A
1 N/A
2 Interactive
3 Network
4 Batch
5 Service
6 Proxy
7 Unlock Workstation
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788628
In the end, at the least, busting out a sniffer may be appropriate.

Here is an example of a vius that could act in a similiar fashion, not necessarily your issue though... just an example.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_WOMANIZ.C&VSect=T

0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 26

Accepted Solution

by:
Vahik earned 500 total points
ID: 9788694
As long as u have a public address folks (nice folks)  will always try to
make trouble for u.So make sure u have the latest spyware and addware and antiviruse softwares are running on ur servers.Try to diable ftp and also run iislockdown tool from microsoft(That is problem in itself).They will always keep trying just make sure they dont succeed.One of the best ways without any fancy footwork is to enable complex password policy on ur network.
0
 

Author Comment

by:GoldbergLindsay
ID: 9789323
I do not have FTP service running on the server.

FTP should not be allowed through the firewall but I am not positive.  I have the running config from my firewall.  what should or should not be stated for FTP?
0
 
LVL 8

Expert Comment

by:Brent
ID: 9801692
Your assumption is correct.   Best option is to log all traffic to your server on port 80, and 25 using ethereal.  You should be able to pull out the IP address of the offender, once you have a nice long log, just go on ARIN, find out his local ISP's phone number, contact them, send them the logs.. sit back and watch them cancel the little script kiddies account or atleast his stolen account.
0
 

Expert Comment

by:jack3141
ID: 10055994
Last week I experienced the same symptoms on my NT 4.0 SP 6a Exchange 5.5 server.  The failed logins similarly attempted authentication for administrator, root, test, admin, abc, master, webmaster, web, www, backup, etc user accounts.  However, the Login Process Name in my case was: \msexcinc.exe (the Exchange Internet Connector).

The login attempts occurred at a regular 5 second intervals, so I suspect an automated external attack mechanism, such as a worm, on TCP ports 80 or 25 which are open through our firewall.  I have no detailed traffic logs to confirm this.  But my application event log indicates that the malicious behavior originated from 219.153.150.109.

At this time, my investigate is focusing on what would cause a trusted (SMTP) process to register with the LSA, as well as attempting to replicate this event.  I will be glad to share my findings.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month19 days, 14 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question