Avatar of rowek
rowek

asked on 

Logon Failure: Reason: Unknown user name or bad password User Name: webmaster

Could somebody please tell me where the user "webmaster" tried to log on to my server?  It appears that it happened from on my server.  We don't even have a userid called webmaster.  We keep port 80 closed and only have 443 open.  Did a program that sniffs 443 stumble across our private website from the outside?  Note that this happend exactly at 6:00pm.  We are running Windows Server 2003 SBS and Trend Micro Enterprise Antivirus.  Could it be one of my serivces (like the Trend Micro) trying to log in?

Source Event ID Last Occurrence Total Occurrences
  Security 529 2/27/2007 6:00 PM 1
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: webmaster
  Domain:  
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: AJAX-SVR-2
  Caller User Name: AJAX-SVR-2$
  Caller Domain: AJAX
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 1528
  Transited Services: -
  Source Network Address: -
  Source Port: -
 
Windows Server 2003

Avatar of undefined
Last Comment
bds42
ASKER CERTIFIED SOLUTION
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of rowek
rowek

ASKER

Checking this right now.  Thanks!
Avatar of rowek
rowek

ASKER

Quick update:  I went to two sites: LIUtilities.com & http://www.processlibrary.com.  Both sites agreed with you, the advapi.exe should be removed.  When I used their free Spyeraser scan it only detected two suspect cookies, but no viruses.  I am currently doing a manual Search for the EXE. Will let you know as soon as it completes.  Thanks for the good start.
Avatar of rowek
rowek

ASKER

Search could not find the exe.  My anti-virus is up to date. What now?

PS  I did read somewhere that advapi is a legitimate exe, but most sites say to delete it. Could another process rename it after it is done running? Does Search find hidden files?
Avatar of rowek
rowek

ASKER

ooops, just saw under Advanced Search I can select hidden files.  All it finds is references to Advapi.exe on browsed web pages.
Avatar of rowek
rowek

ASKER

I downloaded the latest Window Defender and scanned.  Nothing found. Ran Trend Micro scan, nothing found.  What next?
SOLUTION
Avatar of dooleydog
dooleydog

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Windows Server 2003
Windows Server 2003

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo