Solved

Event ID 680 - Getting invalid logon attempts from my server

Posted on 2008-10-17
11
1,434 Views
Last Modified: 2013-12-04
I noticed these in my event logs.  Sometimes its a user id of "academia" and sometimes its "inna".  How is this happening?  What is happening?  Why is the "Source Workstation" my server?  Scary stuff
PS I am current on all patches and on anti-virus (Trend Micro).

Source Event ID Last Occurrence Total Occurrences
  Security 680 10/16/2008 12:48 PM 5 *
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: inna
Source Workstation: CompSvr
Error Code: 0xC0000064

Source Event ID Last Occurrence Total Occurrences
  Security 529 10/16/2008 12:48 PM 5 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: inna
  Domain:  
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: CompSvr
  Caller User Name: CompSvr$
  Caller Domain: MyDomain
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 1556
  Transited Services: -
  Source Network Address: -
  Source Port: -
 
0
Comment
Question by:rowek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 4

Expert Comment

by:pistolslapper
ID: 22739658
Are you using any remote control software like vnc on your server?
0
 

Author Comment

by:rowek
ID: 22739752
No sir.  We do open up the Remote Desktop Port sometimes to get to client PCs.  Small Business Server also puts out a Welcome screen that looks like this:
(I am most concerned about Remote Web Workplace which allows somebody to sign on to my server remotely.  I do not know how to disable it)

Welcome to Windows Small Business Server 2003
 To get started, click a link.


  My Company's Internal Web Site
 Collaborate and share documents on your company's internal Web site.
   
  Network Configuration Wizard
 Join a client computer to the Windows Small Business Server network.
   
  Remote Web Workplace
 Connect to the Windows Small Business Server network over the Internet.
 
0
 
LVL 4

Expert Comment

by:pistolslapper
ID: 22739874
How frequently are you getting these events. If it is quite frequent it may be worth running a piece of software like wireshark to see where the logon attempts are coming from.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Expert Comment

by:harrytwotoes
ID: 22742766
If your server is securely placed and no one can walk up to it and type on the keyboard, the issue is likely the RWW.  You can specify who is allow to log into this service by the following
1) Open Server Management

2) On the left hand side navigation click on "Security Groups"

3) Now on the right hand side you will see all of the Security Groups that SBS builds by default, and any of the ones that you put in there.

4) Double click on Remote Web Workplace Users.

5) Click on the Members tab.

6) And whoever you would like.  Make sure that the mass groups like "everyone, and domain users" are not in the list.

7.) Apply your changes.

0
 

Author Comment

by:rowek
ID: 22744551
Okay, harrytwotoes, I went out and did what you said.  There were no "everyone, and domain users" in that group, only a few that need it.  Is there anyway to tell my server not to even display the Welcome Screen "Welcome to Windows Small Business Server 2003 " see detail above?  Everyone who needs access to our server goes directly to a specific page.

pistolslapper - I get these messages frequently, ten a day.  They indicate the workstation being used is my server.  Will something like wireshark actually help?
0
 
LVL 1

Accepted Solution

by:
harrytwotoes earned 500 total points
ID: 22744657
Ah.

To enable or disable Remote Web Workplace
Open the Windows SBS Console.

On the navigation bar, click Shared Folders and Web Sites.

Click the Web Sites tab.

Right-click Remote Web Workplace, and then do one of the following:

To enable Remote Web Workplace so that users can remotely access network features, click Enable this site.

To prevent users from accessing Remote Web Workplace, click Disable this site.

--site referenced--
http://technet.microsoft.com/en-us/library/cc527621.aspx
0
 

Author Comment

by:rowek
ID: 22744777
harrytwotoes: where is this Windows SBS Console. you are talking about?  I am running 2003 and cannot find it.  I normally use "SBS Server Mgt", but never the console.
0
 
LVL 1

Expert Comment

by:harrytwotoes
ID: 22744801
Start > Programs > Windows Small Business Server > Windows SBS Console
0
 

Author Comment

by:rowek
ID: 22744881
Let me tell you how I brute force took it down.  I opened up IIS Mgr and clicked on "REMOVE".  It is no longer an application, just a folder.  If somebody tries to access it now they get the WSOD (.NET White Screen of Death).  I will see if this stops the sign on attempts.  If you can tell me a more elegant way to turn this down on SBS 2003 I would appreciate it, but the intent of your solution works fine: turn down RWW.
Thanks to both of you guys.
Keith
0
 

Author Comment

by:rowek
ID: 22744902
I looked and looked for that program group and app on my Start Menu...does not exist.  Do you have the name of the EXE?  I will create the group from scratch.  Point awarded.
0
 

Author Comment

by:rowek
ID: 22756791
http://www.eggheadcafe.com/software/aspnet/33255125/keep-getting-login-failur.aspx
Above is a good explanation of what is happening.  They are trying to relay off of my Exchange server.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question