Djrobluv
asked on
Exchange 2003 Intruder trying to logon
I just noticed a situation on our Exchange Server in the Security Event Viewer. Looks as though someone is trying to log on to our Exchange Server. The only port open to this server is port 25 from the outside. So far the intruder has been unable to logon. How should I go about trying to find out how they are trying to login any help in pointing me in the right direction will help. Here is what was found in the Event Log:
Logon Failure:
Reason: Unknown user name or bad password
User Name: SERVER$
Domain: IPCRI
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Logon Failure:
Reason: Unknown user name or bad password
User Name: SERVER$
Domain: IPCRI
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
also reset the administartor password as well
ASKER
Well I see different usernames being used. This is just one of a few that has been tried. Plus the Domain name changes each time.
I see - I thought that IPCRI may have been your real domain name. I can't think of anything on port 25 that could be used for any kind of login (SMTP doesn't require it), so my first guess would be that something inside your LAN is doing it. If there are lots of these things (i.e. faster than a human could attempt it), then it must be automated, which suggests some kind of virus or other malware.
Are you absolutely sure that this server can only be reached on port 25 from the outside world?
Are you absolutely sure that this server can only be reached on port 25 from the outside world?
ASKER
My exact thoughts. I think I may have narrowed it down to a user. I'll let you know what I find.
ASKER
Sorry it took so long to respond back but it wasn't that user at all. I turned off all workstations and I still see this person trying to get in. Does anyone know how this person is trying to logon to my server? Is there any tools out there I could use.
I would try switching of your router (or whatever you use to connect to the outside world) for a short while, and see if the logons continue. If they do, then it could be something on the server.
ASKER
I think I have found the problem. IIS was running on our VPN Server and the web services was running. I removed IIS from that system and have been monitoring our exchange server for the past week and no more logging has been occuring. How do I remove this question now since the website has changed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://support.microsoft.com/kb/811082
You will need to study the dates and times of the events, and how long they have been going on for, to see if it's likely that you are being targetted. Also, some system processes can cause unexpected events like this, since they need to logon, too. If they appear 24 hours a day, then it's likely that something on the server itself is misconfigured.