bleujaegel
asked on
Event ID 529 failure origin
Does anyone have any idea where this Event ID 529 failure would originate from? Server1 is a physically secured W2K3 server, yet I am getting a failure that doesn't have a source IP or port. There were around 100 failures in the logs within the range of a minute or so. My guess is that someone is intentionally masking this information. But HOW? The server has Exchange, OWA, and a VPN running on it. Ports 25, 80, and 1723 are open currently. Any ideas?
Logon Failure:
Reason: Unknown user name or bad password
User Name: notused
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: Server1
Caller User Name: Server1$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1920
Transited Services: -
Source Network Address: -
Source Port: -
Logon Failure:
Reason: Unknown user name or bad password
User Name: notused
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: Server1
Caller User Name: Server1$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1920
Transited Services: -
Source Network Address: -
Source Port: -
ASKER
It is inetinfo.exe.
Well, then you will have to check IIS logs in C:\WINDOWS\system32\LogFil
Checking IIS logs is easier with log analyzer utilities, but in this case you have the time of the event so it shouldn't be hard for you to find event related traffic.
Checking IIS logs is easier with log analyzer utilities, but in this case you have the time of the event so it shouldn't be hard for you to find event related traffic.
And if this is not attack related traffic, then you might to check out this KB article: How to troubleshoot Kerberos related issues in IIS: http://support.microsoft.com/kb/326985
ASKER
The logfile doesn't show an entry at the time indicated in the event logs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It isn't logging anything at that time related to the attempt. Someone has tried again, so it is not related to the last article. Someone is intentionally trying to get in.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Believe me, I've tried that. When I connect to it remotely with a bad password, I get:
Logon Failure:
Reason: Unknown user name or bad password
User Name: hacker
Domain: mail.domain.org
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WS07
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 1.1.1.1
Source Port: 19133
The person attempting leaves a failure audit as shown in my original post. Any other ideas?
Logon Failure:
Reason: Unknown user name or bad password
User Name: hacker
Domain: mail.domain.org
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WS07
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 1.1.1.1
Source Port: 19133
The person attempting leaves a failure audit as shown in my original post. Any other ideas?
ASKER
Here is a VPN failed attempt:
Logon Failure:
Reason: Unknown user name or bad password
User Name: hacker
Domain: DOMAIN
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name:
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 868
Transited Services: -
Source Network Address: -
Source Port: -
This conceals the source information, but uses IAS instead of ADVAPI, so it's not it either. Terminal user has different logon type numbers all together, so it isn't it.
Logon Failure:
Reason: Unknown user name or bad password
User Name: hacker
Domain: DOMAIN
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name:
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 868
Transited Services: -
Source Network Address: -
Source Port: -
This conceals the source information, but uses IAS instead of ADVAPI, so it's not it either. Terminal user has different logon type numbers all together, so it isn't it.
ASKER
I finally figured out the problem. It is failed SMTP authentication attempts. In other words, people trying to use us as an open relay. I verified this by using Outlook Express to create a remote email account via pop. I enabled SMTP authentication, and checked the server logs after it failed. It was an exact match. Also, I get the same failure audits using telnet:
C:\> telnet mail.mydomain.com 25
ehlo mydomain.com
auth login (this is SMTP AUTH encrypted).
334 VXNlcm5hbWU6 (output from server)
Ymx1dWVuY29kZWQ= (Base64 encoded username see below.)
334 UGFzc3dvcmQ6 (output from server)
Mypassword
535 5.7.3 Authentication unsuccessful.
I used the binary encoder at http://www.webpan.com/customers/Email/base64_conversion.htm to
generate the Base64 encrypted username.
C:\> telnet mail.mydomain.com 25
ehlo mydomain.com
auth login (this is SMTP AUTH encrypted).
334 VXNlcm5hbWU6 (output from server)
Ymx1dWVuY29kZWQ= (Base64 encoded username see below.)
334 UGFzc3dvcmQ6 (output from server)
Mypassword
535 5.7.3 Authentication unsuccessful.
I used the binary encoder at http://www.webpan.com/customers/Email/base64_conversion.htm to
generate the Base64 encrypted username.
Check process ID number. Which proces has PID 1920 on your server?
Toni