?
Solved

Win2003 SBS +11K in Errors and Spoofed messages HELP!!!!

Posted on 2011-04-20
13
Medium Priority
?
532 Views
Last Modified: 2012-05-11
Lately I've been getting a ton of errors on my Windows 2003 SBS Server.  In addition to the errors I've gotten 90% of users telling me that they are getting spam emails from themselves and other users on the network.

I'm running Windows 2003 SBS with Exchange 2003.   User workstations are running Windows XP Professional.

We have Trend Micro Security Dashboard installed on the server and Trend Micro Client on the workstations, Postini for spam filtering and a Sonic Wall TZ170 Firewall.  

The error messages I'm getting is:

This was today:


Critical Errors in Security Log

Source       Event ID       Last Occurrence       Total Occurrences
  Security       529       4/20/2011 5:45 AM       10,940 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      anonymous
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      WWIPDC
       Caller User Name:      WWIPDC$
       Caller Domain:      WWI
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1724
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


This was yesterday:

Critical Errors in Security Log

Source       Event ID       Last Occurrence       Total Occurrences
  Security       529       4/19/2011 5:46 AM       2,937 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      company
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      WWIPDC
       Caller User Name:      WWIPDC$
       Caller Domain:      WWI
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1724
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


What would I need to do to stop the spoofing on my network and what is causing these errors to suddenly show up?

Please help.

Thanks
0
Comment
Question by:jungliss28
  • 5
  • 5
  • 3
13 Comments
 
LVL 9

Expert Comment

by:ittogo
ID: 35432027
Do you have any open incoming ports on your firewall?  Looks like someone is trying to do a brute force password attack.
0
 

Author Comment

by:jungliss28
ID: 35432234
These are the only ports I have open.

4 open ports:

       25      smtp      Success      47 ms
       80      http      Success      47 ms
       110      pop3      Success      47 ms
       443      https      Success      47 ms

Is there anything on the Sonic Wall FW that I would need to configure to prevent the brute force password attack an if so how would I go about doing it?

0
 
LVL 9

Expert Comment

by:ittogo
ID: 35432372
If you can block the port temporarily, the attemps should show up in the logs on the Sonicwall, or see if the Sonicwall will let you log all traffic and sort through the traffic.  If they are all coming from the same IP, you could block that IP address.  If you can not block the port, you could install a network sniffer like wireshark (http://www.wireshark.org/) and see where the traffic is comming from.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 

Author Comment

by:jungliss28
ID: 35432875
Cool thanks let me try that today.  I may not be able to shut the ports down until after hours though.  Two other question.  Do I install wireshark on the server or on a workstation?   Also will it cause any problems with my exchange server?

Thanks
0
 
LVL 9

Expert Comment

by:ittogo
ID: 35433211
For wireshark, the best solution would be to put it on the server, but I have never done that. You should be able to put it on a workstation, but it will depend on if your switch will allow the workstation to listen in on the traffic.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35433863
Do your users use pop3/smtp for offsite email? If they don't you can shut down pop3 on the firewall and restrict smtp to only be allowed from postini. If you are using pop3 for email, if you can get off that by using OWA or Outlook via RPC over http that would help. My guess is that the attack is coming in over SMTP because many people are seeing those attacks, but if you can turn off pop3 that would be good too.
0
 
LVL 9

Expert Comment

by:ittogo
ID: 35434131
Actually the attack would be most likely comming from pop3 or possibly through http.  SMTP does not authenticate, so there wouldn't be the authentication errors.  I agree that using OWA would be the better way of going, although it might be a hard sell to the users.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35434251
By default the SMTP service on Exchange will accept authentication requests so that users can use it to relay mail. This appears to be one of the latest spammer methods of delivering mail. Best to block the service entirely if possible. If your offsite users need to be able to use it to relay mail, then attackers can do that too if they can get a valid username/password.
0
 

Author Comment

by:jungliss28
ID: 35434793
The users on my network sign access email's using OWA when offsite, through their Blackberries using Blackberry internet service,  onsite on the LAN via MS Outlook and their home pc's sign into the VPN and access the email via Outlook once signed into VPN.

What impact will shutting down POP3 have on the users?  

If I shut down POP3 will they still be able to access their email's via their blackberries or OWA?  They travel overseas heavily throughout the week and always check in with either OWA or their blackberry.  

Would changing everyone's password make any difference in stopping this?
0
 
LVL 9

Expert Comment

by:ittogo
ID: 35434940
If they are using OWA or connecting through the VPN first, you should be able to turn off POP3. If you are using the Blackberry enterprise server, I believe that is a push technology.  If you are just using the internet mail service, they will still need the POP server, however, they can be set to connect using OWA (http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03133) and then POP can be shut down.

Changing  the passwords will not make a difference, as it looks like they don't have a password, they are just trying all combinations to find one.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 2000 total points
ID: 35435202
To see what IP addresses from Postini that you need to allow access to SMTP on your firewall, see chapter 23, "IP Ranges and Security", p. 495 of the following document:
http://www.postini.com/webdocs/admin_ee_cu/administration.pdf

If you only allow Postini to connect to your SMTP service your threat exposure goes down.
0
 

Author Comment

by:jungliss28
ID: 35437261
Let me try this.  Thanks for the feedback.  
0
 

Author Closing Comment

by:jungliss28
ID: 35455857
Thank you very much. I ran the Microsoft Malicious Software removal tool and found 4 severe infections on the exchange server.   I removed the threats and the errors dropped but the spoofed messages continued.

I made the changes to Postini an the spoofed messages came to a halt.  

I appreciate all your help.  This website rocks!  

Thanks
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month15 days, left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question