Solved

Security Logon Failures Event ID 529 with unknown user on Server

Posted on 2011-03-06
12
3,192 Views
Last Modified: 2013-11-29
Hi

I am having a number of logon failures on our SBS 2003 Server which are odd usernames happening in the early hours of the morning. It looks like someone occassionally is trying to log into the server but it must be remotely going by time of day. Below is a couple of examples of the event error.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/03/2011
Time:            4:25:46 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HPSERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      anonymous
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      THOMSON
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1768
       Transited Services:      -
       Source Network Address:      -
       Source Port:      


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            6/03/2011
Time:            6:50:24 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HPSERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      jiwj
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      THOMSON
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1768
       Transited Services:      -
       Source Network Address:      -

This is not the usual Kerberos logon process that I have with my users on our domain. Workstation name and Caller User Name above are both the server name.

Any ideas would be appreciated, hopefully we are not being hacked into. This has happened about 8 times over the last weekend.
0
Comment
Question by:TracyFazackerley
  • 7
  • 5
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048439
Check to see what process ID 1768 is - and then that might show you the way that the hackers are trying to brute force attack your server.

They will keep trying until they find an account with a weak password that they can work out, then they will start using your server as an authenticated relay or worse.

Please have a read of my blog articles for some good info:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:TracyFazackerley
ID: 35048554
Thanks for the quick answer. What is the best way to check what process ID 1768 is?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048572
No problems - bring up Task Manager (CTRL + SHIFT + ESC) - Click on the Processes Tab and then click on View> Select Columns.  Add the Process ID column and then look down the list of services (or click on PID to sort by PID) for PID 1768.

What service is PID 1768?
0
 

Author Comment

by:TracyFazackerley
ID: 35048574
When I look under Task Manager the PID 1768 is inetinfo.exe with username SYSTEM. Is this the same Caller ID? Does it give you any clues?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048674
Inetinfo will be them trying to get in via SMTP most probably.

If you run the following command from a command prompt:

netstat -anbp tcp >c:netstat.txt

Then type:

netstat.txt

Look for inetinfo - it should be on the same process listening on port 25 (SMTP), so the next question is - do you have any users external to your server who need to send mail to your server via SMTP?

If not - follow the suggestions in my second blog article to change the authentication on your SMTP Virtual Server to just Anonymous - which will stop this problem dead in it's tracks!

0
 

Author Comment

by:TracyFazackerley
ID: 35048936
I found inetinfo was listening on Port 25 along with ports 691, 1062-65 and 1070. It said it was establishe with other ports I think such as 21239.

I have users on VPN who are sending email and also one that uses gmail also that we forward to and he often sends to other users from. Should I still follow your suggestion to change authentication?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048979
Okay - from the list of ports you mentioned I would only imagine port 25 would be open on your firewall.

To check - visit www.canyouseeme.org and test each port - I would be very surprised if any other port responds with SUCCESS other than port 25.

If you have VPN users who send mail through your server once they have connected via VPN - then they should not be using SMTP to send mail direct to your server - they would normally be configured using Cached Exchange Mode.

People sending to / from Gmail should not be a problem wither as when Gmail sends to your server - it will use anonymous authentication.

Drop the Basic & Integrated Windows Authentication - restart the Simple Mail Transfer Protocol Service and then that door should be closed.

If you get problems with users - you know immediately what you changed and can put the authentication back, but I very much doubt it will be necessary.

That should solve the problem and the errors should reduce dramatically - until they try and find another method to try and breach your server security, but you sound pretty tight, so shouldn't have too many problems.
0
 

Author Comment

by:TracyFazackerley
ID: 35049072
Ok will try that. Just to confirm I am doing it right, when you mean drop the Basic and Integrated Windows Authentication, you mean change to Anonymous as in your blog article? Sorry not so sure on this stuff.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35049083
Yes - just leave Anonymous enabled (Ticked) and nothing else then restart the Simple Mail Transfer Protocol Service to force the changes into effect.

As per my blogs - I was seeing thousands of the errors daily on the servers we look after until I only allowed anonymous authentication.  Now the logs are much emptier : )
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35049112
Here's one I prepared Earlier!

It should look like the image below:
SMTP-Virtual-Server-Authenticati.png
0
 

Author Closing Comment

by:TracyFazackerley
ID: 35049155
Ok done thank you! Will see how it goes.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35049193
You should be fine - but if you need more help with this issue - please just post again.

Thanks for the points.

Alan
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now