Solved

Event ID 680 - Getting invalid logon attempts from my server

Posted on 2008-10-17
11
1,396 Views
Last Modified: 2013-12-04
I noticed these in my event logs.  Sometimes its a user id of "academia" and sometimes its "inna".  How is this happening?  What is happening?  Why is the "Source Workstation" my server?  Scary stuff
PS I am current on all patches and on anti-virus (Trend Micro).

Source Event ID Last Occurrence Total Occurrences
  Security 680 10/16/2008 12:48 PM 5 *
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: inna
Source Workstation: CompSvr
Error Code: 0xC0000064

Source Event ID Last Occurrence Total Occurrences
  Security 529 10/16/2008 12:48 PM 5 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: inna
  Domain:  
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: CompSvr
  Caller User Name: CompSvr$
  Caller Domain: MyDomain
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 1556
  Transited Services: -
  Source Network Address: -
  Source Port: -
 
0
Comment
Question by:rowek
  • 6
  • 3
  • 2
11 Comments
 
LVL 4

Expert Comment

by:pistolslapper
ID: 22739658
Are you using any remote control software like vnc on your server?
0
 

Author Comment

by:rowek
ID: 22739752
No sir.  We do open up the Remote Desktop Port sometimes to get to client PCs.  Small Business Server also puts out a Welcome screen that looks like this:
(I am most concerned about Remote Web Workplace which allows somebody to sign on to my server remotely.  I do not know how to disable it)

Welcome to Windows Small Business Server 2003
 To get started, click a link.


  My Company's Internal Web Site
 Collaborate and share documents on your company's internal Web site.
   
  Network Configuration Wizard
 Join a client computer to the Windows Small Business Server network.
   
  Remote Web Workplace
 Connect to the Windows Small Business Server network over the Internet.
 
0
 
LVL 4

Expert Comment

by:pistolslapper
ID: 22739874
How frequently are you getting these events. If it is quite frequent it may be worth running a piece of software like wireshark to see where the logon attempts are coming from.

0
 
LVL 1

Expert Comment

by:harrytwotoes
ID: 22742766
If your server is securely placed and no one can walk up to it and type on the keyboard, the issue is likely the RWW.  You can specify who is allow to log into this service by the following
1) Open Server Management

2) On the left hand side navigation click on "Security Groups"

3) Now on the right hand side you will see all of the Security Groups that SBS builds by default, and any of the ones that you put in there.

4) Double click on Remote Web Workplace Users.

5) Click on the Members tab.

6) And whoever you would like.  Make sure that the mass groups like "everyone, and domain users" are not in the list.

7.) Apply your changes.

0
 

Author Comment

by:rowek
ID: 22744551
Okay, harrytwotoes, I went out and did what you said.  There were no "everyone, and domain users" in that group, only a few that need it.  Is there anyway to tell my server not to even display the Welcome Screen "Welcome to Windows Small Business Server 2003 " see detail above?  Everyone who needs access to our server goes directly to a specific page.

pistolslapper - I get these messages frequently, ten a day.  They indicate the workstation being used is my server.  Will something like wireshark actually help?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Accepted Solution

by:
harrytwotoes earned 500 total points
ID: 22744657
Ah.

To enable or disable Remote Web Workplace
Open the Windows SBS Console.

On the navigation bar, click Shared Folders and Web Sites.

Click the Web Sites tab.

Right-click Remote Web Workplace, and then do one of the following:

To enable Remote Web Workplace so that users can remotely access network features, click Enable this site.

To prevent users from accessing Remote Web Workplace, click Disable this site.

--site referenced--
http://technet.microsoft.com/en-us/library/cc527621.aspx
0
 

Author Comment

by:rowek
ID: 22744777
harrytwotoes: where is this Windows SBS Console. you are talking about?  I am running 2003 and cannot find it.  I normally use "SBS Server Mgt", but never the console.
0
 
LVL 1

Expert Comment

by:harrytwotoes
ID: 22744801
Start > Programs > Windows Small Business Server > Windows SBS Console
0
 

Author Comment

by:rowek
ID: 22744881
Let me tell you how I brute force took it down.  I opened up IIS Mgr and clicked on "REMOVE".  It is no longer an application, just a folder.  If somebody tries to access it now they get the WSOD (.NET White Screen of Death).  I will see if this stops the sign on attempts.  If you can tell me a more elegant way to turn this down on SBS 2003 I would appreciate it, but the intent of your solution works fine: turn down RWW.
Thanks to both of you guys.
Keith
0
 

Author Comment

by:rowek
ID: 22744902
I looked and looked for that program group and app on my Start Menu...does not exist.  Do you have the name of the EXE?  I will create the group from scratch.  Point awarded.
0
 

Author Comment

by:rowek
ID: 22756791
http://www.eggheadcafe.com/software/aspnet/33255125/keep-getting-login-failur.aspx
Above is a good explanation of what is happening.  They are trying to relay off of my Exchange server.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now