Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Failed Logins: Event 529 store.exe

Posted on 2010-08-13
6
Medium Priority
?
1,256 Views
Last Modified: 2013-12-04
We're getting hammered nightly with failed logins from STORE.EXE.  Here's an event example:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/12/2010
Time:            6:09:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [ExchangeSERVER]
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      [ExchangeSERVER]
       Caller User Name:      [ExchangeSERVER]$
       Caller Domain:      [DOMAIN]
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6140
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I can't figure out if this is coming from outside or inside out network.
I have a Hotbrick LB2 dual WAN firewall/router.  I'd love to be able to view the firewall logs, but I can't find out how to do this or where they might be in the Webadmin page.  Googleing "hotbrick lb2 firewall logs" just returns random unrelated garbage.

They've also reported an increase in spam, so I'm worried there's a trojan/worm in our network.
They use McAfee (formally MXLogic) email filtering, and their Exchange server is set to only accept SMTP from their servers.  
I've also made sure it's not an open relay in general.

1.  How can I find out where these logins are coming from?
2.  If I need to look at the Hotbrick firewall logs, where do I find them/turn them on?
Thanks for the help.
0
Comment
Question by:bryanchandler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:christsis
ID: 33431820
0
 

Author Comment

by:bryanchandler
ID: 33433640
So should I attach WinDBGto store.exe?  Will this interfere with Exchange's normal operation?
0
 

Author Comment

by:bryanchandler
ID: 33433677
Is there an easier way?  I really don't understand what I'm supposed to do in this post.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 8

Expert Comment

by:christsis
ID: 33433880
That's basically an in depth explination of how it was diagnosed. The issue is likely that somebody is trying to send mail using SMTP-AUTH and using "administrator." If you follow the steps lower for the Ethereal portion of it you can find out what IP it is coming from. Or you can increase your SMTP logging on the Exchange server and start digging through those.

The Ethereal/Wireshark method will be a little easier as it's monitoring for the specific string to catch the unknown authentication part. So just installing wireshark (new version of ethereal) on the Exchange server and filtering for the string as specified will help you locate the culprit.

Here's a free online base64 decoder to decode the strings required as well:
http://base64-encoder-online.waraxe.us/
0
 

Author Comment

by:bryanchandler
ID: 33502648
I'm still running the logs.  Haven't heard of any major slowdowns from the users yet, but that's how it works.  Fine for days & then BAM.
I'll update w/ the performance data shortly.
0
 
LVL 8

Accepted Solution

by:
christsis earned 2000 total points
ID: 33502967
Likely it was coming from the outside and it was just a spambot attempting to brute force or login via smtp-auth and use your server to send spam. This is quite common and likely nothing to worry about if you're not seeing the tons of logs about the same thing anymore. As long as you have good password policies and nobody is using things like "password" then you should be ok.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question