Solved

Security Logon Failures Event ID 529 with unknown user on Server

Posted on 2011-03-06
12
3,325 Views
Last Modified: 2013-11-29
Hi

I am having a number of logon failures on our SBS 2003 Server which are odd usernames happening in the early hours of the morning. It looks like someone occassionally is trying to log into the server but it must be remotely going by time of day. Below is a couple of examples of the event error.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/03/2011
Time:            4:25:46 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HPSERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      anonymous
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      THOMSON
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1768
       Transited Services:      -
       Source Network Address:      -
       Source Port:      


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            6/03/2011
Time:            6:50:24 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HPSERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      jiwj
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      THOMSON
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1768
       Transited Services:      -
       Source Network Address:      -

This is not the usual Kerberos logon process that I have with my users on our domain. Workstation name and Caller User Name above are both the server name.

Any ideas would be appreciated, hopefully we are not being hacked into. This has happened about 8 times over the last weekend.
0
Comment
Question by:TracyFazackerley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048439
Check to see what process ID 1768 is - and then that might show you the way that the hackers are trying to brute force attack your server.

They will keep trying until they find an account with a weak password that they can work out, then they will start using your server as an authenticated relay or worse.

Please have a read of my blog articles for some good info:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:TracyFazackerley
ID: 35048554
Thanks for the quick answer. What is the best way to check what process ID 1768 is?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048572
No problems - bring up Task Manager (CTRL + SHIFT + ESC) - Click on the Processes Tab and then click on View> Select Columns.  Add the Process ID column and then look down the list of services (or click on PID to sort by PID) for PID 1768.

What service is PID 1768?
0
Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

 

Author Comment

by:TracyFazackerley
ID: 35048574
When I look under Task Manager the PID 1768 is inetinfo.exe with username SYSTEM. Is this the same Caller ID? Does it give you any clues?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048674
Inetinfo will be them trying to get in via SMTP most probably.

If you run the following command from a command prompt:

netstat -anbp tcp >c:netstat.txt

Then type:

netstat.txt

Look for inetinfo - it should be on the same process listening on port 25 (SMTP), so the next question is - do you have any users external to your server who need to send mail to your server via SMTP?

If not - follow the suggestions in my second blog article to change the authentication on your SMTP Virtual Server to just Anonymous - which will stop this problem dead in it's tracks!

0
 

Author Comment

by:TracyFazackerley
ID: 35048936
I found inetinfo was listening on Port 25 along with ports 691, 1062-65 and 1070. It said it was establishe with other ports I think such as 21239.

I have users on VPN who are sending email and also one that uses gmail also that we forward to and he often sends to other users from. Should I still follow your suggestion to change authentication?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35048979
Okay - from the list of ports you mentioned I would only imagine port 25 would be open on your firewall.

To check - visit www.canyouseeme.org and test each port - I would be very surprised if any other port responds with SUCCESS other than port 25.

If you have VPN users who send mail through your server once they have connected via VPN - then they should not be using SMTP to send mail direct to your server - they would normally be configured using Cached Exchange Mode.

People sending to / from Gmail should not be a problem wither as when Gmail sends to your server - it will use anonymous authentication.

Drop the Basic & Integrated Windows Authentication - restart the Simple Mail Transfer Protocol Service and then that door should be closed.

If you get problems with users - you know immediately what you changed and can put the authentication back, but I very much doubt it will be necessary.

That should solve the problem and the errors should reduce dramatically - until they try and find another method to try and breach your server security, but you sound pretty tight, so shouldn't have too many problems.
0
 

Author Comment

by:TracyFazackerley
ID: 35049072
Ok will try that. Just to confirm I am doing it right, when you mean drop the Basic and Integrated Windows Authentication, you mean change to Anonymous as in your blog article? Sorry not so sure on this stuff.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35049083
Yes - just leave Anonymous enabled (Ticked) and nothing else then restart the Simple Mail Transfer Protocol Service to force the changes into effect.

As per my blogs - I was seeing thousands of the errors daily on the servers we look after until I only allowed anonymous authentication.  Now the logs are much emptier : )
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35049112
Here's one I prepared Earlier!

It should look like the image below:
SMTP-Virtual-Server-Authenticati.png
0
 

Author Closing Comment

by:TracyFazackerley
ID: 35049155
Ok done thank you! Will see how it goes.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35049193
You should be fine - but if you need more help with this issue - please just post again.

Thanks for the points.

Alan
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question