Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Suspected hacking attempts

Posted on 2007-03-26
Medium Priority
Last Modified: 2013-12-04
Hi folks

I need some help with an apparent security problem, please.
I am getting events as below, in random blocks - nothing or several days, then up to a hundred similar events in the space of a few hours.  I suspect it is a hacking attempt because there are different generic usernames being employed, i.e. admin, root, www, administrator, test, master, etc.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            26/03/2007
Time:            04:27:13
User:            NT AUTHORITY\SYSTEM
Computer:      OUR-SERVER
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      test
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      OUR-SERVER
       Caller User Name:      OUR-SERVER$
       Caller Domain:      OUR-DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2592
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

As you can see, the eventlog is no help in identifying the port being used.
We run a vpn for two users within the organisation and MS Exchange within SBS2003.  I have port-scanned up to port 1055 using Shields-Up & everything is stealthed, except the following ports:
Open - 25 - smtp
Closed - 110 -pop3
open - 443 - https
open - 444 - snmp

Do you think that these are hacking attempts?  
Do I need these ports open for our mail & remote users?
Is there a way I can get information as to the originating port?

Any help appreceiated
Many thanks
Question by:morse57
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 11

Expert Comment

ID: 18791839
Yep I'd say it's just a bot taking random guesses at any servers it comes across.  Provided you don't have any basic passwords setup on accounts you should be fine.  However if there are ports you can close then you should close them.

25 - Has to be open to receive mail.
110 - If you have external users connecting to the server directly to get their mail by POP this port has to be open, otherwise close it.
443 - Do you use Outlook Web Access from external locations?  If so then yes this port needs to be open, otherwise close it.
444 - Not sure why you have this open externally?  I've never needed to open it before, so I'd close it.

If the only external access is through those two VPNs then the only port you really need open to the server directly is 25.  All other traffic will come through the VPN in which case they should be bypassing these rules anyway.

Author Comment

ID: 18791951
Thanks.  I'm going to try things out with 443/4 closed & test the access.  I'll let you know how it goes.
Do you have any suggestion as to how I can get the information as to which port is being used for these attempts, please?

LVL 11

Expert Comment

ID: 18792039
Well Advapi is the logon process IIS uses to do user authentication.  I don't believe this would be used by SMTP, POP3 or SNMP so I'd suspect the bot/person in question was trying to access your server through HTTPS (443).  Maybe trying to just access https://YourServerAddress or maybe trying to get into Outlook Web Access if you have it open and listening on HTTPS.

So if you have nobody using OWA externally and your only external users are coming through a VPN then you should have no need for port 443 to be open at the perimeter firewall.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 74

Accepted Solution

Jeffrey Kane - TechSoEasy earned 2000 total points
ID: 18792448
It's very unlikely that its a hack attempt, since the originating server name is also not randomized.  Also, a logon type of 3 indicates a NETWORK logon attempt.  The cause of these events is generally due to the MACHINE account password being out of sync.  Take a look at this newsgroup post which shows almost your EXACT error message:

Then follow the advice of the post to use NETDOM to reset the password.  


P. S.  Just to clarify the SBS ports that are used, 444 is not SNMP it's used for SharePoint.  These are the common ones and I generally have all of them open without issue:

25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace


Expert Comment

ID: 18792778
The different usernames being used do suggest an attempt to hack the webserver, a machine account out of sync doesn't come up with those sort of usernames. Just looks likes a pretty generic hacking attempt to me
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18792994
Well, that could be right... but WMI does actually use www, root, and master login names.  There could be other programs running that use the others.  

I am definitely aware of dictionary attacks though... my web servers fend off about 1,000 hits per night with "Illegal user test from..." lines filling up my security log reports.  Unfortunately on those servers I cannot close down ports, so it's just a constant watch to ensure they never get through.

But in this case, unless port 445 is open the packets wouldn't ever reach the server from the Internet.


Author Comment

ID: 18793216
Thanks for your input, Jeff - relevant & valuable as ever.
I've just tried your suggestion & I'm having some trouble getting a service to start.  
The problem doesn't occur every day so I'll probably need to leave it for a few days to see what happens next.
I'll let you know when I've resolved the startup & see some results.  

Author Comment

ID: 18834996
Thanks everyone for your input.

Jeff - you hit the nail on the head.  

Thanks once again.

LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18855234
Good thing I didn't hit my thumb with the hammer!


Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question