We're getting hammered nightly with failed logins from STORE.EXE. Here's an event example:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Time: 6:09:57 PM
User: NT AUTHORITY\SYSTEM
Reason: Unknown user name or bad password
User Name: administrator
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: [ExchangeSERVER]
Caller User Name: [ExchangeSERVER]$
Caller Domain: [DOMAIN]
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6140
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I can't figure out if this is coming from outside or inside out network.
I have a Hotbrick LB2 dual WAN firewall/router. I'd love to be able to view the firewall logs, but I can't find out how to do this or where they might be in the Webadmin page. Googleing "hotbrick lb2 firewall logs" just returns random unrelated garbage.
They've also reported an increase in spam, so I'm worried there's a trojan/worm in our network.
They use McAfee (formally MXLogic) email filtering, and their Exchange server is set to only accept SMTP from their servers.
I've also made sure it's not an open relay in general.
1. How can I find out where these logins are coming from?
2. If I need to look at the Hotbrick firewall logs, where do I find them/turn them on?
Thanks for the help.