Solved

Microsoft 2003 SBS server error

Posted on 2011-02-17
45
1,465 Views
Last Modified: 2012-05-11
is anyone familiar with the error below. Also the server is not performing Automatic Updates and there are 33 high priority when i manually go to Windows Updates. Automatic Updates are set for 5 am everday and Internet Explorer Enhanced Security Control is not checked in ADD/REMOVE PROGRAMS. i was told long ago by Microsoft this could prevent updates.

Thanks!


 Security  What does this mean, it has been on the report the last two days.  Maybe it doesn’t mean anything but it has been on the report  with 7,465 occurrences at 10 pm last night and the night before
Logon Failure:
      Reason:      Unknown user name or bad password
      User Name:      1234
      Domain:      
      Logon Type:      3
      Logon Process:      Advapi
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Workstation Name:      SERVER
      Caller User Name:      SERVER$
      Caller Domain:      MTNBROOK
      Caller Logon ID:      (0x0,0x3E7)
      Caller Process ID:      2084
      Transited Services:      -
      Source Network Address:      -
      Source Port:      -

0
Comment
Question by:russgarrett
  • 24
  • 17
  • 4
45 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34919588
Most often Logon type 3's are from a computer on the local network accessing a file share or IIS, and the failure indicates it is being accessed using either non-existent user account or an expired/incorrect password. DrDave242 points out some troubleshooting techniques for this in the following link.
http://www.experts-exchange.com/Security/Misc/Q_23148468.html

It can also be a mapped drive or service using incorrect credentials.
0
 

Author Comment

by:russgarrett
ID: 34919590
Also there are a bunch of errors in the event log of SERVICE CONTROL MANAGER EVENT 7000 in the SYSTEM EVENT viewer. Then BACKGROUND INTELLIGENT TRANSFER SERVICE FAILED TO START.
There are probably 12,000 of these errors since September. The client just called this to my attention. The server is also running Backup Exec 2010.

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            1/7/2011
Time:            12:43:35 PM
User:            N/A
Computer:      SERVER
Description:
The Background Intelligent Transfer Service service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Then there is this error in the log as well.

Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10005
Date:            1/7/2011
Time:            12:43:32 PM
User:            N/A
Computer:      SERVER
Description:
DCOM got error "The account specified for this service is different from the account specified for other services running in the same process. " attempting to start the service BITS with arguments "" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 34919623
regarding auto update ...really bad idea ..gives you no control to see whats going on

The other error is an attempt to hack you network all unsuccessful

what do you have for a firewall ?
do you have an account called 1234
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34919778
Cris I am not certain but if it were an external attempt to hack the network would it not be a logon type 10?
0
 

Author Comment

by:russgarrett
ID: 34919796
it is a Sonicwall TZ 190 W.

no user 1234
0
 

Author Comment

by:russgarrett
ID: 34919861
i agree about the automatic updates but it is curious as to why it does not work.

What is the BACKGROUND INTELLIGENT TRANSFER (BITS) that fails to start? Is this a service or something that may have an incorrect password?
0
 

Author Comment

by:russgarrett
ID: 34919909
BITS seems to be a part of BACK UP EXEC.

the service is set to manual and not automatic.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34919941
BITS is used by Windows Updates
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 34919961
@Rob yes and would typically show the offending IP

I'm leaning towards spyware somewhere.... I'd be running malwarebytes  full scan on all workstations

yes BITS has to be working for updating to work
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34919988
It's unlikely BITS has the wrong user name or password but double check by looking at the properties of the service and under Logon verify only "local system account" is checked
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34920031
Also in theory if it were a failed service or mapping it would be most likely be an expired password and lock out the account (assuming you have password policies enabled) where as a wrong account name can be attempted indefinitely.

I like Cris's suggestion of checking for malware.
Out of curiosity do you have port 3389 open on your router?
0
 

Author Comment

by:russgarrett
ID: 34920072
The BITS service login is the same as the Backup Exec Services.

Should it be LOCAL SYTEM ACCOUNT and check the box ALLOW SERVICE TO INTERACT WITH DESKTOP for its logon?

Is the service supposed to be set to manual?

BIG QUESTION is you really think the server or a workstation has a virus? i just did a scan on the server C: drive with CA Etrust and it is OK. Is the Standard version of MALWARE BYTES ok to run on a 2003 SBS server? i have to configure Etrust antivirus with exclusions for EXCHANGE.
0
 

Author Comment

by:russgarrett
ID: 34920104
ok i checked LOGON LOCALLY for the BITS service. That should stop all those 7000 errors.

yes 3389 is for remote desktop and it is open.
0
 

Author Comment

by:russgarrett
ID: 34920436
i just did one Microsoft update and the BITS changed from manual and the update was successfull.

BITS was not set to Local System Account so that should be fixed.

Should i save the SYTEM EVENT LOG and then delete it and start a new one since there were thousands of those 7000 errors? Then see what errors come up?

The passwords were changed a while back and they are numbers and letters that make no sense so passwords should be secure.

I also want to make sure it is ok to run Malware Bytes on a 2003 sbs server without excluding Exchange files and processes.

What are my next steps?

0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 34920528
run malwarebytes on workstations only

I dont see any reason to save the log
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34920630
As for port 3389; having that open usually results in from 1-5000 hits per day by hackers. It is much more secure to use Remote web Workplace and port 443 and 4125
0
 

Author Comment

by:russgarrett
ID: 34920753
never used remote web work place but now use Teamviewer which is like webex.

Below is one error from the application log. in the online description it says if you have a 1708 you could be relayed from but i do not see a 1708. 7515 i just ignore. one user did receive a phone call earlier this week that they were receiving spam mail from him. if there was a 1708 according to Microsoft it would have the local users name in the error. i will clear the log and see what happens.
Below is the Application log error.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      Authentication
Event ID:      1706
Date:            2/15/2011
Time:            5:36:58 PM
User:            N/A
Computer:      SERVER
Description:
EXPS is temporarily unable to provide protocol security with "dnleagbrp.com".  "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth" which failed with error code 0x8007052e ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799 ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80               ...¿    
0
 

Author Comment

by:russgarrett
ID: 34920815
Man there are a bunch of these in the security log. i wonder if this is helping to put together a puzzle between these events.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            2/17/2011
Time:            2:01:52 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      10.0.0.37
       Source Port:      2310


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34920825
If you are concerned about being an open relay run the Exchange test tool
https://testexchangeconnectivity.com/
and/or run through Sembee's guide:
http://www.amset.info/exchange/smtp-openrelay.asp
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 34920869
I also like mxtoolbox.com
what device is at 10.0.0.37?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34920877
That last error indicates that the PC with IP address 10.0.0.0.37 is the source of the problem
If you don't know what PC that is, from a command prompt run
nbtstat  -A  10.0.0.37
0
 

Author Comment

by:russgarrett
ID: 34921013
i found the the machine by looking in the DHCP leases.

nbtstat did not return anything.

So that machine must have a virus, spyware or something correct?

i will run Malware Bytes.

Glad i checked that log.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:russgarrett
ID: 34921047
nbtstat did also return the name. sorry

also a 10.0.0.25 wireless device popped up. i will check it later.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34921072
Good chance it is a virus/malware but if  service with the wrong credentials is trying to access the server it could also be the source.

If you are ambitions you could install www.wireshark.org  and analyze the traffic to determine what is "hitting" the server, but it can be very time consuming.
0
 

Author Comment

by:russgarrett
ID: 34922527
on the pc 10.0.0.37  malwarebytes found MALWARE.TRACE .

i also ran combofix and the pc seems clean.

i am clearing the server logs and see what happens.

Also installed about 35 updates.

lets see what happens.
0
 

Author Comment

by:russgarrett
ID: 34954533
I cleared all event logs last Thursday. i was told there are 7000 events where someone tried to login as Administrator but apparently could not. i am thinking about closing port 3389 for remote desktop and see if it stops this.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            2/20/2011
Time:            10:04:04 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            MTNBROOK
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      MTNBROOK
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      14340
       Transited Services:      -
       Source Network Address:      125.22.251.100
       Source Port:      1312


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:russgarrett
ID: 34954555
or they are trying to come in on port 1312 whatever that is. i could look it up.
0
 

Author Comment

by:russgarrett
ID: 34954607
going through the log that same IP address is trying on several ip ports.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            2/20/2011
Time:            10:04:37 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            MTNBROOK
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      MTNBROOK
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      22100
       Transited Services:      -
       Source Network Address:      125.22.251.100
       Source Port:      4034


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34954659
This looks like 2 issues. The events earlier with type 3 logons which is generally from the LAN and the IP verified that. These are type 10 which is usually an external connection and the IP verifies that. The source port is usually a random port and does not indicate the incoming port.
If you have 3389 open I'll guarantee at least 1000 hits per week. I have seen 50,000 in one day. There are hundreds of hackers out there doing automated scans looking for specific types of open ports. 21 and 3389 are the most common.  Once they find one they just keep hammering it. You should have password security and account lockouts enabled in group policy. If they try a legitimate account they will be locked out for x minutes. However for non existent or disabled accounts they can guess indefinitely. Avoid using common account names like Administrator, Admin, backup, sales, manager, POS, and so on.
0
 

Author Comment

by:russgarrett
ID: 34954739
Ok. So if i have 5 or 6 internal ip addresses with a 529 error and trying to login as administrator, does this mean there probably is a virus on these machines. Then the virus is communicationg with an external server or person somewhere else and that person is trying to login as Administratror?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34954847
Hard to say but it is very possible.
If internal machines, have you ever used the administrator account to set up any server access such as mapped drives using the administrator account? If so and you have changed the password this can happen.

You can tell if an connection has been established with a remote machine by running from a command line:
netstat -an
It will show any "ESTABLISHED" connections with the local and remote IP. The port number is also show. The local port number will help to identify the service, but the remote port number is random. Keep in mind there will be legitimate connection such as to a web site. using -and will also list the application which is sometimes helpful, but not often.

I would close 3389 right away and see if there is a difference.

If in fact these are internal hack attempts controlled from outside I might be tempted to wipe and reload any machines that could be infected. "Once infected, always suspected"
0
 

Author Comment

by:russgarrett
ID: 34954954
when i do a netstat -an at the server i receive a 10.0.0.2 whichis the server, 127.0.0.1 which also should be the server and a long list of 0.0.0.0. All have varios port id's after each ip address.

there are no other ip addresses that come up.

What does this tell you?

Scan the other machines for sure and of course close the remote desktop and switch to Teamviewer which is like WebEx?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34955122
That would imply there are no active connections
You are looking for ones like:
TCP    192.168.19.105:64012   123.222.157.18:21       ESTABLISHED
This is my PC connected to a remote site (123.222.157.18) using port 21 FTP
0
 

Author Comment

by:russgarrett
ID: 34955415
right. i currently do not see any private IP addresses connected when typing netstat -an at the server.

the network is working fine.

i guess just close 3389 and see what happens.

Agree?

i also raised this to 500 points.
0
 

Author Comment

by:russgarrett
ID: 34955540
Here is a Administrator lock out.

Event Type:      Error
Event Source:      SAM
Event Category:      None
Event ID:      12294
Date:            2/21/2011
Time:            7:25:14 AM
User:            MTNBROOK\Administrator
Computer:      SERVER
Description:
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: a5 02 00 c0               ¥..À    
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34955544
No worries on the points.
Try closing 3389 and let us know if there are any changes over the next 24 hours.

Also did you try netstat on one of the PC's that was trying to contact the server to see if it had any outside connections? It could have a virus that is trying to do or it could be remotely controlled. Unlikely, but definitely possible.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 34955597
You might want to read some of these suggestion starting with the 3rd one.
http://www.eventid.net/display.asp?eventid=12294&eventno=875&source=SAM&phase=1

Also best practices states that the account named Administrator be disabled. On an SBS there are a few rare occasions where you need that account which is referred to as the 500 account. As a result best to just rename it
0
 

Author Comment

by:russgarrett
ID: 34964097
This error occured in the middle of the night with no one here. i have scanned several machines with MalwareBytes and found nothing sice the one last week. one error like below had the IP address of the Multi Fuction network printer. i have closed the remote desktop port. The 7000 hits came through in one night a week ago. we will see what happens now. i cleared the event log last night and seem to only have internal errors or errors caused by Iphones.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            2/23/2011
Time:            2:26:51 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      10.0.0.46
       Source Port:      1846


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34972033
This again is from a LAN PC. It could be infected with something like a "Bot", but that is less lily that an automated service trying to authenticate to the server. It can also be due to issues with Kerberos. The latter can sometimes be fixed by dis-joining the domain and re-joining. If doing so see:
http://techsoeasy.spaces.live.com/blog/cns!AB2725BC5698FCB8!278.entry
0
 

Author Comment

by:russgarrett
ID: 34982069
it is not a virus but i may try to remove it from the domain.

i will just remove it from the domain by making it a member of Workgroup and re boot.

then without going through the sbs 2003 browser wizard i can simply switch it back to the same machine name and re boot.

none of the machines that had errors from the inside had a virus. i did a Full Scan with MalwareBytes and nothing was found. Two of the machines were brand new machines that had the Kerberos error.
0
 

Author Comment

by:russgarrett
ID: 34982089
i just follwed the link you gave and i will follow those instructions.

Thanks!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34982275
Just for the record; I had a machine this week that Malwarebytes showed as 100% clean, as did Enterprise McAfee, yet there was still a Rootkit present. I found that with TDSSkiller
http://support.kaspersky.com/faq/?qid=208283363
But who is to say I still haven't missed something :-)

I don't think your issue is a virus, but don't completely rule it out.
0
 

Author Comment

by:russgarrett
ID: 34982588
ok.

i have TDSSkiler.
0
 

Author Closing Comment

by:russgarrett
ID: 35182188
very responsive and helpfull.

Excellent!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35182382
Thanks russgarrett.
Cheers!
--Rob
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now