Suspected hacking attempts

Hi folks

I need some help with an apparent security problem, please.
I am getting events as below, in random blocks - nothing or several days, then up to a hundred similar events in the space of a few hours.  I suspect it is a hacking attempt because there are different generic usernames being employed, i.e. admin, root, www, administrator, test, master, etc.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            26/03/2007
Time:            04:27:13
User:            NT AUTHORITY\SYSTEM
Computer:      OUR-SERVER
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      test
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      OUR-SERVER
       Caller User Name:      OUR-SERVER$
       Caller Domain:      OUR-DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2592
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

As you can see, the eventlog is no help in identifying the port being used.
We run a vpn for two users within the organisation and MS Exchange within SBS2003.  I have port-scanned up to port 1055 using Shields-Up & everything is stealthed, except the following ports:
Open - 25 - smtp
Closed - 110 -pop3
open - 443 - https
open - 444 - snmp

Do you think that these are hacking attempts?  
Do I need these ports open for our mail & remote users?
Is there a way I can get information as to the originating port?

Any help appreceiated
Many thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yep I'd say it's just a bot taking random guesses at any servers it comes across.  Provided you don't have any basic passwords setup on accounts you should be fine.  However if there are ports you can close then you should close them.

25 - Has to be open to receive mail.
110 - If you have external users connecting to the server directly to get their mail by POP this port has to be open, otherwise close it.
443 - Do you use Outlook Web Access from external locations?  If so then yes this port needs to be open, otherwise close it.
444 - Not sure why you have this open externally?  I've never needed to open it before, so I'd close it.

If the only external access is through those two VPNs then the only port you really need open to the server directly is 25.  All other traffic will come through the VPN in which case they should be bypassing these rules anyway.
morse57Author Commented:
Thanks.  I'm going to try things out with 443/4 closed & test the access.  I'll let you know how it goes.
Do you have any suggestion as to how I can get the information as to which port is being used for these attempts, please?

Well Advapi is the logon process IIS uses to do user authentication.  I don't believe this would be used by SMTP, POP3 or SNMP so I'd suspect the bot/person in question was trying to access your server through HTTPS (443).  Maybe trying to just access https://YourServerAddress or maybe trying to get into Outlook Web Access if you have it open and listening on HTTPS.

So if you have nobody using OWA externally and your only external users are coming through a VPN then you should have no need for port 443 to be open at the perimeter firewall.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It's very unlikely that its a hack attempt, since the originating server name is also not randomized.  Also, a logon type of 3 indicates a NETWORK logon attempt.  The cause of these events is generally due to the MACHINE account password being out of sync.  Take a look at this newsgroup post which shows almost your EXACT error message:

Then follow the advice of the post to use NETDOM to reset the password.  


P. S.  Just to clarify the SBS ports that are used, 444 is not SNMP it's used for SharePoint.  These are the common ones and I generally have all of them open without issue:

25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The different usernames being used do suggest an attempt to hack the webserver, a machine account out of sync doesn't come up with those sort of usernames. Just looks likes a pretty generic hacking attempt to me
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, that could be right... but WMI does actually use www, root, and master login names.  There could be other programs running that use the others.  

I am definitely aware of dictionary attacks though... my web servers fend off about 1,000 hits per night with "Illegal user test from..." lines filling up my security log reports.  Unfortunately on those servers I cannot close down ports, so it's just a constant watch to ensure they never get through.

But in this case, unless port 445 is open the packets wouldn't ever reach the server from the Internet.

morse57Author Commented:
Thanks for your input, Jeff - relevant & valuable as ever.
I've just tried your suggestion & I'm having some trouble getting a service to start.  
The problem doesn't occur every day so I'll probably need to leave it for a few days to see what happens next.
I'll let you know when I've resolved the startup & see some results.  
morse57Author Commented:
Thanks everyone for your input.

Jeff - you hit the nail on the head.  

Thanks once again.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Good thing I didn't hit my thumb with the hammer!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.