Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

MSFTPSVC System Event Error

Posted on 2007-12-06
9
Medium Priority
?
2,198 Views
Last Modified: 2013-12-04
Inside the event log for our server I am getting the following "System Error":

Event Type:      Warning
Event Source:      MSFTPSVC
Event Category:      None
Event ID:      100
Date:            12/5/2007
Time:            7:27:24 PM
User:            N/A
Computer:      ASEMAIL
Description:
The server was unable to logon the Windows NT account 'vipafw' due to the following error: Logon failure: account currently disabled.  The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 05 00 00               3...    

I had a server that went down yesterday evening. I don't see anything in the application or any of the other event logs. But the above started yesterday and continued for several hours and occured every couple seconds. Is this from someone trying to log into our FTP site? Could this cause the server to crash? Any ideas on how I can keep this from happening?
0
Comment
Question by:kserritt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20420642
Sounds like an attempted hack to your FTP site. Someone failed to logon too many times and FTP service shut down.

On your FTP machine, you should see security event, in event viewer,  related to this failure to logon.
0
 

Author Comment

by:kserritt
ID: 20420701
There are only a few failure audits under the security event while there are several hundred warnings under system event. The failure audit is:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      531
Date:            12/5/2007
Time:            7:27:24 PM
User:            NT AUTHORITY\SYSTEM
Computer:      ASEMAIL
Description:
Logon Failure:
       Reason:            Account currently disabled
       User Name:      vipafw
       Domain:            ASE
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      ASEMAIL
       Caller User Name:      ASEMAIL$
       Caller Domain:      ASE
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1800
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So how do I keep this type of thing from happening? Do you think this would crash the server?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20421196
Event ID 531 is telling you that too many attempts were made and it is shutting down the services. Event 100 is basically saying the same thing.

I am assuming ASEMAIL is your mail computer. Do  you know who vipafw is, because your mail server is trying to contact that user using the system's credentials, not a specified FTP set of credentials? Why this is knocking down FTP has yet to be determined.

Maybe you are using FTP to transport your mail from one site to another.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:kserritt
ID: 20421211
The vipafw user was a client we had a user set up for to access our FTP site. That account has been disabled.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20421369
Was the mail account for vipafw removed or disabled, because it sounds like your mail server is trying to connect to vipafw by using FTP?

0
 

Author Comment

by:kserritt
ID: 20421420
To my knowledge the vipafw user never had a mailbox it was just a user account added to AD so the client could access our FTP site. I wasn't around when the user was added so not positive about it never having a mailbox but when I go to Exchange System Manager there is no mailbox there for the user enabled or disabled.
0
 

Author Comment

by:kserritt
ID: 20421655
Ok going back in the Security Log further there are more failure audits for earlier in the day yesterday. They are occuring about every 3 to 5 seconds beginning at 8:00 in the morning. The 2 errors are:

First Error:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            12/5/2007
Time:            8:02:03 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ASEMAIL
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Administrator
 Source Workstation:      ASEMAIL
 Error Code:      0xC000006A

Second Error:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            12/5/2007
Time:            8:02:03 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ASEMAIL
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ASE
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      ASEMAIL
       Caller User Name:      ASEMAIL$
       Caller Domain:      ASE
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1800
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
That is the 2 errors that just repeat every few seconds for 4 hours or so.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20425600
Check your FTP log files.

They are usually placed in %windir%\system32\logfiles\msftpsvc1

Checking them may provide more insight. Check out the times when the FTP service is failing and see if we can narrow it down.

I don't know if you are familiar with event ID's web site. You can look up solutions to many event IDs. Here is an example.
http://www.eventid.net/display.asp?eventid=100&eventno=489&source=MSFTPSVC&phase=1

For now, try disabling Netbios over TCP/IP and re-enabling it.

0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 20425705
OK: now you have two users that have failed logons and they are both coming from the mail server.
One was vipafw, the other was the administrator.  Both failed users are comming from the ASEMAIL machine on the ASE domain.  

Failed logons can come from a non domain user. So, if the mail machine is not on the domain, or belongs to a different domain than your FTP server, this could cause the problem. It doesn't appear to be this way. So, I will not go into details.

The administrator may have failed to logon because the FTP svc was stopped due to vipafw's attempts to logon and failures..

Regardless of your conclusions, vipafw tried to logon. If this was a disabled account, this can play a key factor in trying to pinpoint the exact problem. If this account will be no longer used, delete it instead of disable it.

I really think we should look at what the email server is trying to do with the administrator account and the vipfaw account.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question