• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3470
  • Last Modified:

Security Logon Failures Event ID 529 with unknown user on Server

Hi

I am having a number of logon failures on our SBS 2003 Server which are odd usernames happening in the early hours of the morning. It looks like someone occassionally is trying to log into the server but it must be remotely going by time of day. Below is a couple of examples of the event error.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            7/03/2011
Time:            4:25:46 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HPSERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      anonymous
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      THOMSON
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1768
       Transited Services:      -
       Source Network Address:      -
       Source Port:      


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            6/03/2011
Time:            6:50:24 AM
User:            NT AUTHORITY\SYSTEM
Computer:      HPSERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      jiwj
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      THOMSON
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1768
       Transited Services:      -
       Source Network Address:      -

This is not the usual Kerberos logon process that I have with my users on our domain. Workstation name and Caller User Name above are both the server name.

Any ideas would be appreciated, hopefully we are not being hacked into. This has happened about 8 times over the last weekend.
0
TracyFazackerley
Asked:
TracyFazackerley
  • 7
  • 5
1 Solution
 
Alan HardistyCo-OwnerCommented:
Check to see what process ID 1768 is - and then that might show you the way that the hackers are trying to brute force attack your server.

They will keep trying until they find an account with a weak password that they can work out, then they will start using your server as an authenticated relay or worse.

Please have a read of my blog articles for some good info:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 
TracyFazackerleyAuthor Commented:
Thanks for the quick answer. What is the best way to check what process ID 1768 is?
0
 
Alan HardistyCo-OwnerCommented:
No problems - bring up Task Manager (CTRL + SHIFT + ESC) - Click on the Processes Tab and then click on View> Select Columns.  Add the Process ID column and then look down the list of services (or click on PID to sort by PID) for PID 1768.

What service is PID 1768?
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
TracyFazackerleyAuthor Commented:
When I look under Task Manager the PID 1768 is inetinfo.exe with username SYSTEM. Is this the same Caller ID? Does it give you any clues?
0
 
Alan HardistyCo-OwnerCommented:
Inetinfo will be them trying to get in via SMTP most probably.

If you run the following command from a command prompt:

netstat -anbp tcp >c:netstat.txt

Then type:

netstat.txt

Look for inetinfo - it should be on the same process listening on port 25 (SMTP), so the next question is - do you have any users external to your server who need to send mail to your server via SMTP?

If not - follow the suggestions in my second blog article to change the authentication on your SMTP Virtual Server to just Anonymous - which will stop this problem dead in it's tracks!

0
 
TracyFazackerleyAuthor Commented:
I found inetinfo was listening on Port 25 along with ports 691, 1062-65 and 1070. It said it was establishe with other ports I think such as 21239.

I have users on VPN who are sending email and also one that uses gmail also that we forward to and he often sends to other users from. Should I still follow your suggestion to change authentication?
0
 
Alan HardistyCo-OwnerCommented:
Okay - from the list of ports you mentioned I would only imagine port 25 would be open on your firewall.

To check - visit www.canyouseeme.org and test each port - I would be very surprised if any other port responds with SUCCESS other than port 25.

If you have VPN users who send mail through your server once they have connected via VPN - then they should not be using SMTP to send mail direct to your server - they would normally be configured using Cached Exchange Mode.

People sending to / from Gmail should not be a problem wither as when Gmail sends to your server - it will use anonymous authentication.

Drop the Basic & Integrated Windows Authentication - restart the Simple Mail Transfer Protocol Service and then that door should be closed.

If you get problems with users - you know immediately what you changed and can put the authentication back, but I very much doubt it will be necessary.

That should solve the problem and the errors should reduce dramatically - until they try and find another method to try and breach your server security, but you sound pretty tight, so shouldn't have too many problems.
0
 
TracyFazackerleyAuthor Commented:
Ok will try that. Just to confirm I am doing it right, when you mean drop the Basic and Integrated Windows Authentication, you mean change to Anonymous as in your blog article? Sorry not so sure on this stuff.
0
 
Alan HardistyCo-OwnerCommented:
Yes - just leave Anonymous enabled (Ticked) and nothing else then restart the Simple Mail Transfer Protocol Service to force the changes into effect.

As per my blogs - I was seeing thousands of the errors daily on the servers we look after until I only allowed anonymous authentication.  Now the logs are much emptier : )
0
 
Alan HardistyCo-OwnerCommented:
Here's one I prepared Earlier!

It should look like the image below:
SMTP-Virtual-Server-Authenticati.png
0
 
TracyFazackerleyAuthor Commented:
Ok done thank you! Will see how it goes.
0
 
Alan HardistyCo-OwnerCommented:
You should be fine - but if you need more help with this issue - please just post again.

Thanks for the points.

Alan
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now