We help IT Professionals succeed at work.

Win2003 SBS +11K in Errors and Spoofed messages HELP!!!!

543 Views
Last Modified: 2012-05-11
Lately I've been getting a ton of errors on my Windows 2003 SBS Server.  In addition to the errors I've gotten 90% of users telling me that they are getting spam emails from themselves and other users on the network.

I'm running Windows 2003 SBS with Exchange 2003.   User workstations are running Windows XP Professional.

We have Trend Micro Security Dashboard installed on the server and Trend Micro Client on the workstations, Postini for spam filtering and a Sonic Wall TZ170 Firewall.  

The error messages I'm getting is:

This was today:


Critical Errors in Security Log

Source       Event ID       Last Occurrence       Total Occurrences
  Security       529       4/20/2011 5:45 AM       10,940 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      anonymous
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      WWIPDC
       Caller User Name:      WWIPDC$
       Caller Domain:      WWI
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1724
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


This was yesterday:

Critical Errors in Security Log

Source       Event ID       Last Occurrence       Total Occurrences
  Security       529       4/19/2011 5:46 AM       2,937 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      company
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      WWIPDC
       Caller User Name:      WWIPDC$
       Caller Domain:      WWI
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1724
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


What would I need to do to stop the spoofing on my network and what is causing these errors to suddenly show up?

Please help.

Thanks
Comment
Watch Question

Commented:
Do you have any open incoming ports on your firewall?  Looks like someone is trying to do a brute force password attack.

Author

Commented:
These are the only ports I have open.

4 open ports:

       25      smtp      Success      47 ms
       80      http      Success      47 ms
       110      pop3      Success      47 ms
       443      https      Success      47 ms

Is there anything on the Sonic Wall FW that I would need to configure to prevent the brute force password attack an if so how would I go about doing it?

Commented:
If you can block the port temporarily, the attemps should show up in the logs on the Sonicwall, or see if the Sonicwall will let you log all traffic and sort through the traffic.  If they are all coming from the same IP, you could block that IP address.  If you can not block the port, you could install a network sniffer like wireshark (http://www.wireshark.org/) and see where the traffic is comming from.

Author

Commented:
Cool thanks let me try that today.  I may not be able to shut the ports down until after hours though.  Two other question.  Do I install wireshark on the server or on a workstation?   Also will it cause any problems with my exchange server?

Thanks

Commented:
For wireshark, the best solution would be to put it on the server, but I have never done that. You should be able to put it on a workstation, but it will depend on if your switch will allow the workstation to listen in on the traffic.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Do your users use pop3/smtp for offsite email? If they don't you can shut down pop3 on the firewall and restrict smtp to only be allowed from postini. If you are using pop3 for email, if you can get off that by using OWA or Outlook via RPC over http that would help. My guess is that the attack is coming in over SMTP because many people are seeing those attacks, but if you can turn off pop3 that would be good too.

Commented:
Actually the attack would be most likely comming from pop3 or possibly through http.  SMTP does not authenticate, so there wouldn't be the authentication errors.  I agree that using OWA would be the better way of going, although it might be a hard sell to the users.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
By default the SMTP service on Exchange will accept authentication requests so that users can use it to relay mail. This appears to be one of the latest spammer methods of delivering mail. Best to block the service entirely if possible. If your offsite users need to be able to use it to relay mail, then attackers can do that too if they can get a valid username/password.

Author

Commented:
The users on my network sign access email's using OWA when offsite, through their Blackberries using Blackberry internet service,  onsite on the LAN via MS Outlook and their home pc's sign into the VPN and access the email via Outlook once signed into VPN.

What impact will shutting down POP3 have on the users?  

If I shut down POP3 will they still be able to access their email's via their blackberries or OWA?  They travel overseas heavily throughout the week and always check in with either OWA or their blackberry.  

Would changing everyone's password make any difference in stopping this?

Commented:
If they are using OWA or connecting through the VPN first, you should be able to turn off POP3. If you are using the Blackberry enterprise server, I believe that is a push technology.  If you are just using the internet mail service, they will still need the POP server, however, they can be set to connect using OWA (http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03133) and then POP can be shut down.

Changing  the passwords will not make a difference, as it looks like they don't have a password, they are just trying all combinations to find one.
Network Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Let me try this.  Thanks for the feedback.  

Author

Commented:
Thank you very much. I ran the Microsoft Malicious Software removal tool and found 4 severe infections on the exchange server.   I removed the threats and the errors dropped but the spoofed messages continued.

I made the changes to Postini an the spoofed messages came to a halt.  

I appreciate all your help.  This website rocks!  

Thanks
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.