Solved

Failed Logins: Event 529 store.exe

Posted on 2010-08-13
6
1,242 Views
Last Modified: 2013-12-04
We're getting hammered nightly with failed logins from STORE.EXE.  Here's an event example:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/12/2010
Time:            6:09:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [ExchangeSERVER]
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      [ExchangeSERVER]
       Caller User Name:      [ExchangeSERVER]$
       Caller Domain:      [DOMAIN]
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6140
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I can't figure out if this is coming from outside or inside out network.
I have a Hotbrick LB2 dual WAN firewall/router.  I'd love to be able to view the firewall logs, but I can't find out how to do this or where they might be in the Webadmin page.  Googleing "hotbrick lb2 firewall logs" just returns random unrelated garbage.

They've also reported an increase in spam, so I'm worried there's a trojan/worm in our network.
They use McAfee (formally MXLogic) email filtering, and their Exchange server is set to only accept SMTP from their servers.  
I've also made sure it's not an open relay in general.

1.  How can I find out where these logins are coming from?
2.  If I need to look at the Hotbrick firewall logs, where do I find them/turn them on?
Thanks for the help.
0
Comment
Question by:bryanchandler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:christsis
ID: 33431820
0
 

Author Comment

by:bryanchandler
ID: 33433640
So should I attach WinDBGto store.exe?  Will this interfere with Exchange's normal operation?
0
 

Author Comment

by:bryanchandler
ID: 33433677
Is there an easier way?  I really don't understand what I'm supposed to do in this post.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 8

Expert Comment

by:christsis
ID: 33433880
That's basically an in depth explination of how it was diagnosed. The issue is likely that somebody is trying to send mail using SMTP-AUTH and using "administrator." If you follow the steps lower for the Ethereal portion of it you can find out what IP it is coming from. Or you can increase your SMTP logging on the Exchange server and start digging through those.

The Ethereal/Wireshark method will be a little easier as it's monitoring for the specific string to catch the unknown authentication part. So just installing wireshark (new version of ethereal) on the Exchange server and filtering for the string as specified will help you locate the culprit.

Here's a free online base64 decoder to decode the strings required as well:
http://base64-encoder-online.waraxe.us/
0
 

Author Comment

by:bryanchandler
ID: 33502648
I'm still running the logs.  Haven't heard of any major slowdowns from the users yet, but that's how it works.  Fine for days & then BAM.
I'll update w/ the performance data shortly.
0
 
LVL 8

Accepted Solution

by:
christsis earned 500 total points
ID: 33502967
Likely it was coming from the outside and it was just a spambot attempting to brute force or login via smtp-auth and use your server to send spam. This is quite common and likely nothing to worry about if you're not seeing the tons of logs about the same thing anymore. As long as you have good password policies and nobody is using things like "password" then you should be ok.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question