• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2484
  • Last Modified:

Advapi and inetinfo logon attempts - IP logging utility available ?

I know there are varous methods for using network monitoring like wireshark to obtain IP details on attempts to logon to the server via web or other inet processes   but unless you are monitoring them at the time, then you are left with microsoft logging which is a total waste of time  as they dont log the ip address of the offending person.

eg                 Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      admin
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER1
       Caller User Name:      SERVER1$
       Caller Domain:      HXXXXXXXXP
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5568
       Transited Services:      -
       Source Network Address:      -

Is there no utility or program that will log who is trying to break into my server from the internet so I can either block the address or report the offender to the ISP ? Even the MS logfile offer no clues.

It seems stupid for a system not to be able to log who is connecting to what process and failing to provide a correct password several hundred times.

So the points are for some one pointing me to a utility, process or program that will sit on a sbs or standard 2003 server and report who is trying to break into the server and I test the solution and it works.

  • 3
1 Solution
B HCommented:
your default smtp server is ran by inetinfo (iis)

what you're seeing there is a failed attempt on smtp, some spammers trying to guess usernames/passwords in base64 format.

you'll find the ip address in your iis logs (C:\WINDOWS\System32\LogFiles\smtpsvc1 or whatever you called it), but only if you enabled logging, with the ip address selected.

in exchange system manager, find your default smtp virtual server, right click, properties, enable logging, pick a destination folder, check out the advanced options under the 'properties' button right next to the path.  fill out how often you want the logs to recreate themselves, and go to the advanced tab, checkmark things that interest you.  suggest you checkmark 'use local time' so you don't have to constantly do the math off GMT.

once you have them in log files, you can flip them around in excel however you want

B HCommented:
oh yeah, see here, post number 2 also:
ZombiteAuthor Commented:
The inetinfo handles also web access etc - The smtp logging is already turned on but shows no attempts at that time so I am assuming it is either owa, web page logons or other iis services.
It is frustrating to have 600 odd attempts at logon and to have no log of the ip address.
I am considering using onevent and snort maybe - fire it up when it gets a logon attempt.
But I hoped there were more elagant solutions out there.

I find this comment typical of microsoft. I would feel happier if I could log the IP - block it and or contact the ISP to get the user cut off for hacking attempts.

Since there are Web sites on the SBS server such as RWW/OWA that are
published to the Internet, this is an "expected" behavior because anyone
can attempt to logon to the sites. Fortunately, the SBS server will block
the access because there is no such user account in AD or the password does
not match.

Therefore, if you are confident on the passwords, we can skip the errors.  <-------?????

Please feel free to let me know if you have any further concerns or
questions regarding the issue.

Best regards,

Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support
B HCommented:
i get what you're saying about inetinfo, but the combination of logon type 3, advapi, and ms-auth-pkg-1.0 make it [most likely] smtp.

the line you pointed to above - yeah he was saying if you know your passwords can't be dictionary attacked, and are really really hard to bruteforce, ignore the errors because it's not likely they would be guessed.  if they're 10 character passwords with 5 special characters, 3 numbers, an uppercase and a lowercase, they probably won't ever be bruteforced.  

i wish i understood why M$ didnt include the ip address in the logs like this...  i was able to see my own ip in the smtp logs when testing, but only if i fed it the base64 user name (like your hackers are).  if you dont feed it the base64, it doesnt log 3/advapi/ms-auth1.0 it logs as something else.

your actual IIS attempts happening on port 80/443/987 will be logged in a different folder, and not be using ms-auth-pkg-1.0

with wireshark, you could stream to a file, then ascii-string-search it or look for the times, but the bottom line is - it's going to keep happening as long as you have smtp exposed to the internet.  the only way to not get it to happen, would be to sign up for some 3rd party offsite spam filtering.  that way your MX/A records point to the 3rd party, then the 3rd party shoots it to your server.  your firewall would say "allow inbound smtp but only from this outside ip address [3rd party]"
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now