Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Failed Logins: Event 529 store.exe

Posted on 2010-08-13
6
1,234 Views
Last Modified: 2013-12-04
We're getting hammered nightly with failed logins from STORE.EXE.  Here's an event example:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/12/2010
Time:            6:09:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [ExchangeSERVER]
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      [ExchangeSERVER]
       Caller User Name:      [ExchangeSERVER]$
       Caller Domain:      [DOMAIN]
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6140
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I can't figure out if this is coming from outside or inside out network.
I have a Hotbrick LB2 dual WAN firewall/router.  I'd love to be able to view the firewall logs, but I can't find out how to do this or where they might be in the Webadmin page.  Googleing "hotbrick lb2 firewall logs" just returns random unrelated garbage.

They've also reported an increase in spam, so I'm worried there's a trojan/worm in our network.
They use McAfee (formally MXLogic) email filtering, and their Exchange server is set to only accept SMTP from their servers.  
I've also made sure it's not an open relay in general.

1.  How can I find out where these logins are coming from?
2.  If I need to look at the Hotbrick firewall logs, where do I find them/turn them on?
Thanks for the help.
0
Comment
Question by:bryanchandler
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:christsis
ID: 33431820
0
 

Author Comment

by:bryanchandler
ID: 33433640
So should I attach WinDBGto store.exe?  Will this interfere with Exchange's normal operation?
0
 

Author Comment

by:bryanchandler
ID: 33433677
Is there an easier way?  I really don't understand what I'm supposed to do in this post.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 8

Expert Comment

by:christsis
ID: 33433880
That's basically an in depth explination of how it was diagnosed. The issue is likely that somebody is trying to send mail using SMTP-AUTH and using "administrator." If you follow the steps lower for the Ethereal portion of it you can find out what IP it is coming from. Or you can increase your SMTP logging on the Exchange server and start digging through those.

The Ethereal/Wireshark method will be a little easier as it's monitoring for the specific string to catch the unknown authentication part. So just installing wireshark (new version of ethereal) on the Exchange server and filtering for the string as specified will help you locate the culprit.

Here's a free online base64 decoder to decode the strings required as well:
http://base64-encoder-online.waraxe.us/
0
 

Author Comment

by:bryanchandler
ID: 33502648
I'm still running the logs.  Haven't heard of any major slowdowns from the users yet, but that's how it works.  Fine for days & then BAM.
I'll update w/ the performance data shortly.
0
 
LVL 8

Accepted Solution

by:
christsis earned 500 total points
ID: 33502967
Likely it was coming from the outside and it was just a spambot attempting to brute force or login via smtp-auth and use your server to send spam. This is quite common and likely nothing to worry about if you're not seeing the tons of logs about the same thing anymore. As long as you have good password policies and nobody is using things like "password" then you should be ok.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question