Solved

Failed Logins: Event 529 store.exe

Posted on 2010-08-13
6
1,229 Views
Last Modified: 2013-12-04
We're getting hammered nightly with failed logins from STORE.EXE.  Here's an event example:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/12/2010
Time:            6:09:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [ExchangeSERVER]
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      [ExchangeSERVER]
       Caller User Name:      [ExchangeSERVER]$
       Caller Domain:      [DOMAIN]
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6140
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I can't figure out if this is coming from outside or inside out network.
I have a Hotbrick LB2 dual WAN firewall/router.  I'd love to be able to view the firewall logs, but I can't find out how to do this or where they might be in the Webadmin page.  Googleing "hotbrick lb2 firewall logs" just returns random unrelated garbage.

They've also reported an increase in spam, so I'm worried there's a trojan/worm in our network.
They use McAfee (formally MXLogic) email filtering, and their Exchange server is set to only accept SMTP from their servers.  
I've also made sure it's not an open relay in general.

1.  How can I find out where these logins are coming from?
2.  If I need to look at the Hotbrick firewall logs, where do I find them/turn them on?
Thanks for the help.
0
Comment
Question by:bryanchandler
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:christsis
Comment Utility
0
 

Author Comment

by:bryanchandler
Comment Utility
So should I attach WinDBGto store.exe?  Will this interfere with Exchange's normal operation?
0
 

Author Comment

by:bryanchandler
Comment Utility
Is there an easier way?  I really don't understand what I'm supposed to do in this post.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 8

Expert Comment

by:christsis
Comment Utility
That's basically an in depth explination of how it was diagnosed. The issue is likely that somebody is trying to send mail using SMTP-AUTH and using "administrator." If you follow the steps lower for the Ethereal portion of it you can find out what IP it is coming from. Or you can increase your SMTP logging on the Exchange server and start digging through those.

The Ethereal/Wireshark method will be a little easier as it's monitoring for the specific string to catch the unknown authentication part. So just installing wireshark (new version of ethereal) on the Exchange server and filtering for the string as specified will help you locate the culprit.

Here's a free online base64 decoder to decode the strings required as well:
http://base64-encoder-online.waraxe.us/
0
 

Author Comment

by:bryanchandler
Comment Utility
I'm still running the logs.  Haven't heard of any major slowdowns from the users yet, but that's how it works.  Fine for days & then BAM.
I'll update w/ the performance data shortly.
0
 
LVL 8

Accepted Solution

by:
christsis earned 500 total points
Comment Utility
Likely it was coming from the outside and it was just a spambot attempting to brute force or login via smtp-auth and use your server to send spam. This is quite common and likely nothing to worry about if you're not seeing the tons of logs about the same thing anymore. As long as you have good password policies and nobody is using things like "password" then you should be ok.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now