rowek
asked on
Logon Failure: Reason: Unknown user name or bad password User Name: webmaster
Could somebody please tell me where the user "webmaster" tried to log on to my server? It appears that it happened from on my server. We don't even have a userid called webmaster. We keep port 80 closed and only have 443 open. Did a program that sniffs 443 stumble across our private website from the outside? Note that this happend exactly at 6:00pm. We are running Windows Server 2003 SBS and Trend Micro Enterprise Antivirus. Could it be one of my serivces (like the Trend Micro) trying to log in?
Source Event ID Last Occurrence Total Occurrences
Security 529 2/27/2007 6:00 PM 1
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: AJAX-SVR-2
Caller User Name: AJAX-SVR-2$
Caller Domain: AJAX
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1528
Transited Services: -
Source Network Address: -
Source Port: -
Source Event ID Last Occurrence Total Occurrences
Security 529 2/27/2007 6:00 PM 1
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: AJAX-SVR-2
Caller User Name: AJAX-SVR-2$
Caller Domain: AJAX
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1528
Transited Services: -
Source Network Address: -
Source Port: -
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Quick update: I went to two sites: LIUtilities.com & http://www.processlibrary.com. Both sites agreed with you, the advapi.exe should be removed. When I used their free Spyeraser scan it only detected two suspect cookies, but no viruses. I am currently doing a manual Search for the EXE. Will let you know as soon as it completes. Thanks for the good start.
ASKER
Search could not find the exe. My anti-virus is up to date. What now?
PS I did read somewhere that advapi is a legitimate exe, but most sites say to delete it. Could another process rename it after it is done running? Does Search find hidden files?
PS I did read somewhere that advapi is a legitimate exe, but most sites say to delete it. Could another process rename it after it is done running? Does Search find hidden files?
ASKER
ooops, just saw under Advanced Search I can select hidden files. All it finds is references to Advapi.exe on browsed web pages.
ASKER
I downloaded the latest Window Defender and scanned. Nothing found. Ran Trend Micro scan, nothing found. What next?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER