Event Failure Secuirty concern

Farris007
Farris007 used Ask the Experts™
on
Hi
I have a client that has Exchange 2007 in private network, and OWA1 in DMZ. We are oviusly under some kind off brute force or DDOS attack, but I cannot determine where this is comming the log is not really showing me logs of info, as I provided the log below ( XXX marks are for protection of server name and domain). We use Kaspersky as Antivirus.
This attacker is using diiferent Usernames, such as: Manager, Candy, Power, and so on. But there is no IP workstation name (except log is showing same Server name)

I need help ASAP, any idea will be appreciated.

Thank you very much.

 An account failed to log on.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            XXXXXEX1$
      Account Domain:            XXXXX
      Logon ID:            0x3e4

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            power
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0xd88
      Caller Process Name:      C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe

Network Information:
      Workstation Name:      XXXXXEX1
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are you getting alot of these or only a handful?  Have you determined if they are trying to use like SMTP or are actually trying to log into OWA?  Have you checked the logs of the machine in the DMZ?

Author

Commented:
Hi,

I get this log every like hour or less on Exchange that has Stores,  I see that is trying to call many different services, in this case is :
C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe
the other log will be C:\Program Files\Microsoft\Exchange Server\Bin\Store.exe and other services as well.

In Owa (which is on DMZ) I have also checked and I see the IP and the username that is trying to log on, and that is from a User that was terminated which his\her account is disabled, and that's like every 1 minute that is trying to authenticate.
I am running wireshak today if I can find anything that matches with time.
And we also have now E-mails Delaying, and Certificate prompt for Outlook client. I am not sure where are these issues comming from.

But I am not sure why these logs are not showing nothing exept the Username.

Any help will be appreciated very much,

Thank you
Did the user who was terminated have a blackberry or smart phone?  Sounds more like an automated thing going on trying to login.  Wireshark would be a good way to look.  If you can figure out from the DMZ server if they are trying SMTP or a web page like OWA then you can turn on better logging.

Author

Commented:
Yes I think the ip address in log files in OWA from showed Verizon wireless so I agree the user looks like has the IMAP/Pop probably setup in smart phone, but in this case that's not what I am worried about, these exchange logs are scaring me b/c I cannot see where is coming from.

And today looks like is very quiet i have nothing Failure, but could this occur calling Exchange Services from Internal or external? Any idea why there are no information exept the user name which is trying to logon, is it using some software, I have never seen these logs before.

Subject:

Security ID: NETWORK SERVICE

Account Name: XXXXXEX1$

Account Domain: XXX
Logon ID: 0x3e4

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: candy

Account Domain:

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xc000006d

Sub Status: 0xc0000064

Process Information:

Caller Process ID: 0xd88

Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe

Network Information:

Workstation Name: XXXXXXEX1

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Transited Services: -

Package Name (NTLM only): -

Key Length:

Author

Commented:
How do I turn on Better logging?

Thanks for your help.

Commented:
Hi,

As your OWA is in a DMZ, does the outer firewall show anything?

Regards,


RobMobility
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-11/msg01095.html

This kinda goes into detail of the same things.  Also I agree with RobMobility, check your firewall or turn up logging on your firewall to see if you can match the events.

Author

Commented:
The solution was partially, but Ideas were great.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial