Solved

Logon Process Name: \inetinfo.exe

Posted on 2003-11-20
7
2,681 Views
Last Modified: 2010-09-01
I have a bunch of strange stuff in my security log on my exchange server and
think someone may have been trying to break into my server.  The server is
Windows 2000 SP3 with all available updates.

In my log I have this:

A trusted logon process has registered with the Local Security Authority. This
logon process will be trusted to submit logon requests.
 
 Logon Process Name:    \inetinfo.exe


Followed by a lots of failed login attempts for users that do not exist on my
network like Administrator, root, test, admin, abc, master, webmaster, web,
www, backup, server and a bunch of others.  Several hundred failures in all
maybe 50 or so per id.  All the failed messages read like this:

Logon Failure:
        Reason:         Unknown user name or bad password
        User Name:      backup
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi  
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       <my servername>

This server is behind my firewall but my firewall does have NAT entries to is
for mail and web because it is my exchange server and my IIS server.  The only
pages I serve up for IIS is webmail for exchange.

Have I missed something else to lock down that allowed this to happen or is
this regular stuff when I have an IIS server open to the internet?

0
Comment
Question by:GoldbergLindsay
7 Comments
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788497
If you have IIS FTP services running, I'd be concerned. Hackers take advantage of this product quite often. Quickest check to see if they had success is to see if you are low on diskspace. If so, your box is now a "warez" server. Though, with all the failures, I suspect they have yet to succeeed in compromising the box.

Now for access to your box thru the firewall, what ports are you allowing. Should only be allowing SMTP and maybe 80 for OWA web traffic. DEFINATELY not any FTP ports (usually 20,21) unless you feel really good about your IIS security.
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788588
More random info of possible value:

"Logon Type" will be one of the following:

0 N/A
1 N/A
2 Interactive
3 Network
4 Batch
5 Service
6 Proxy
7 Unlock Workstation
0
 
LVL 8

Expert Comment

by:JasonBigham
ID: 9788628
In the end, at the least, busting out a sniffer may be appropriate.

Here is an example of a vius that could act in a similiar fashion, not necessarily your issue though... just an example.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_WOMANIZ.C&VSect=T

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 26

Accepted Solution

by:
Vahik earned 250 total points
ID: 9788694
As long as u have a public address folks (nice folks)  will always try to
make trouble for u.So make sure u have the latest spyware and addware and antiviruse softwares are running on ur servers.Try to diable ftp and also run iislockdown tool from microsoft(That is problem in itself).They will always keep trying just make sure they dont succeed.One of the best ways without any fancy footwork is to enable complex password policy on ur network.
0
 

Author Comment

by:GoldbergLindsay
ID: 9789323
I do not have FTP service running on the server.

FTP should not be allowed through the firewall but I am not positive.  I have the running config from my firewall.  what should or should not be stated for FTP?
0
 
LVL 8

Expert Comment

by:Icetoad
ID: 9801692
Your assumption is correct.   Best option is to log all traffic to your server on port 80, and 25 using ethereal.  You should be able to pull out the IP address of the offender, once you have a nice long log, just go on ARIN, find out his local ISP's phone number, contact them, send them the logs.. sit back and watch them cancel the little script kiddies account or atleast his stolen account.
0
 

Expert Comment

by:jack3141
ID: 10055994
Last week I experienced the same symptoms on my NT 4.0 SP 6a Exchange 5.5 server.  The failed logins similarly attempted authentication for administrator, root, test, admin, abc, master, webmaster, web, www, backup, etc user accounts.  However, the Login Process Name in my case was: \msexcinc.exe (the Exchange Internet Connector).

The login attempts occurred at a regular 5 second intervals, so I suspect an automated external attack mechanism, such as a worm, on TCP ports 80 or 25 which are open through our firewall.  I have no detailed traffic logs to confirm this.  But my application event log indicates that the malicious behavior originated from 219.153.150.109.

At this time, my investigate is focusing on what would cause a trusted (SMTP) process to register with the LSA, as well as attempting to replicate this event.  I will be glad to share my findings.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now