Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1267
  • Last Modified:

Failed Logins: Event 529 store.exe

We're getting hammered nightly with failed logins from STORE.EXE.  Here's an event example:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/12/2010
Time:            6:09:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [ExchangeSERVER]
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      [ExchangeSERVER]
       Caller User Name:      [ExchangeSERVER]$
       Caller Domain:      [DOMAIN]
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6140
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I can't figure out if this is coming from outside or inside out network.
I have a Hotbrick LB2 dual WAN firewall/router.  I'd love to be able to view the firewall logs, but I can't find out how to do this or where they might be in the Webadmin page.  Googleing "hotbrick lb2 firewall logs" just returns random unrelated garbage.

They've also reported an increase in spam, so I'm worried there's a trojan/worm in our network.
They use McAfee (formally MXLogic) email filtering, and their Exchange server is set to only accept SMTP from their servers.  
I've also made sure it's not an open relay in general.

1.  How can I find out where these logins are coming from?
2.  If I need to look at the Hotbrick firewall logs, where do I find them/turn them on?
Thanks for the help.
0
bryanchandler
Asked:
bryanchandler
  • 3
  • 3
1 Solution
 
christsisCommented:
0
 
bryanchandlerAuthor Commented:
So should I attach WinDBGto store.exe?  Will this interfere with Exchange's normal operation?
0
 
bryanchandlerAuthor Commented:
Is there an easier way?  I really don't understand what I'm supposed to do in this post.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
christsisCommented:
That's basically an in depth explination of how it was diagnosed. The issue is likely that somebody is trying to send mail using SMTP-AUTH and using "administrator." If you follow the steps lower for the Ethereal portion of it you can find out what IP it is coming from. Or you can increase your SMTP logging on the Exchange server and start digging through those.

The Ethereal/Wireshark method will be a little easier as it's monitoring for the specific string to catch the unknown authentication part. So just installing wireshark (new version of ethereal) on the Exchange server and filtering for the string as specified will help you locate the culprit.

Here's a free online base64 decoder to decode the strings required as well:
http://base64-encoder-online.waraxe.us/
0
 
bryanchandlerAuthor Commented:
I'm still running the logs.  Haven't heard of any major slowdowns from the users yet, but that's how it works.  Fine for days & then BAM.
I'll update w/ the performance data shortly.
0
 
christsisCommented:
Likely it was coming from the outside and it was just a spambot attempting to brute force or login via smtp-auth and use your server to send spam. This is quite common and likely nothing to worry about if you're not seeing the tons of logs about the same thing anymore. As long as you have good password policies and nobody is using things like "password" then you should be ok.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now