Link to home
Start Free TrialLog in
Avatar of Djrobluv

asked on

Exchange 2003 Intruder trying to logon

I just noticed a situation on our Exchange Server in the Security Event Viewer. Looks as though someone is trying to log on to our Exchange Server. The only port open to this server is port 25 from the outside. So far the intruder has been unable to logon. How should I go about trying to find out how they are trying to login any help in pointing me in the right direction will help. Here is what was found in the Event Log:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      SERVER$
       Domain:            IPCRI
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SERVER
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
Avatar of LeeDerbyshire
Flag of United Kingdom of Great Britain and Northern Ireland image

It might be something as simple as this:
You will need to study the dates and times of the events, and how long they have been going on for, to see if it's likely that you are being targetted.  Also, some system processes can cause unexpected events like this, since they need to logon, too.  If they appear 24 hours a day, then it's likely that something on the server itself is misconfigured.
Avatar of poweruser32

also reset the administartor password as well
Avatar of Djrobluv


Well I see different usernames being used. This is just one of a few that has been tried. Plus the Domain name changes each time.
I see - I thought that IPCRI may have been your real domain name.  I can't think of anything on port 25 that could be used for any kind of login (SMTP doesn't require it), so my first guess would be that something inside your LAN is doing it.  If there are lots of these things (i.e. faster than a human could attempt it), then it must be automated, which suggests some kind of virus or other malware.

Are you absolutely sure that this server can only be reached on port 25 from the outside world?
My exact thoughts. I think I may have narrowed it down to a user. I'll let you know what I find.
Sorry it took so long to respond back but it wasn't that user at all. I turned off all workstations and I still see this person trying to get in. Does anyone know how this person is trying to logon to my server? Is there any tools out there I could use.
I would try switching of your router (or whatever you use to connect to the outside world) for a short while, and see if the logons continue.  If they do, then it could be something on the server.
I think I have found the problem. IIS was running on our VPN Server and the web services was running. I removed IIS from that system and have been monitoring our exchange server for the past week and no more logging has been occuring. How do I remove this question now since the website has changed.
I'm not sure.  There's something here that might help:
Avatar of Computer101
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial