Farris007
asked on
Event Failure Secuirty concern
Hi
I have a client that has Exchange 2007 in private network, and OWA1 in DMZ. We are oviusly under some kind off brute force or DDOS attack, but I cannot determine where this is comming the log is not really showing me logs of info, as I provided the log below ( XXX marks are for protection of server name and domain). We use Kaspersky as Antivirus.
This attacker is using diiferent Usernames, such as: Manager, Candy, Power, and so on. But there is no IP workstation name (except log is showing same Server name)
I need help ASAP, any idea will be appreciated.
Thank you very much.
An account failed to log on.
Subject:
Security ID: NETWORK SERVICE
Account Name: XXXXXEX1$
Account Domain: XXXXX
Logon ID: 0x3e4
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: power
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0xd88
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.e xe
Network Information:
Workstation Name: XXXXXEX1
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
I have a client that has Exchange 2007 in private network, and OWA1 in DMZ. We are oviusly under some kind off brute force or DDOS attack, but I cannot determine where this is comming the log is not really showing me logs of info, as I provided the log below ( XXX marks are for protection of server name and domain). We use Kaspersky as Antivirus.
This attacker is using diiferent Usernames, such as: Manager, Candy, Power, and so on. But there is no IP workstation name (except log is showing same Server name)
I need help ASAP, any idea will be appreciated.
Thank you very much.
An account failed to log on.
Subject:
Security ID: NETWORK SERVICE
Account Name: XXXXXEX1$
Account Domain: XXXXX
Logon ID: 0x3e4
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: power
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0xd88
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.e
Network Information:
Workstation Name: XXXXXEX1
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Are you getting alot of these or only a handful? Have you determined if they are trying to use like SMTP or are actually trying to log into OWA? Have you checked the logs of the machine in the DMZ?
ASKER
Hi,
I get this log every like hour or less on Exchange that has Stores, I see that is trying to call many different services, in this case is :
C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.e xe
the other log will be C:\Program Files\Microsoft\Exchange Server\Bin\Store.exe and other services as well.
In Owa (which is on DMZ) I have also checked and I see the IP and the username that is trying to log on, and that is from a User that was terminated which his\her account is disabled, and that's like every 1 minute that is trying to authenticate.
I am running wireshak today if I can find anything that matches with time.
And we also have now E-mails Delaying, and Certificate prompt for Outlook client. I am not sure where are these issues comming from.
But I am not sure why these logs are not showing nothing exept the Username.
Any help will be appreciated very much,
Thank you
I get this log every like hour or less on Exchange that has Stores, I see that is trying to call many different services, in this case is :
C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.e
the other log will be C:\Program Files\Microsoft\Exchange Server\Bin\Store.exe and other services as well.
In Owa (which is on DMZ) I have also checked and I see the IP and the username that is trying to log on, and that is from a User that was terminated which his\her account is disabled, and that's like every 1 minute that is trying to authenticate.
I am running wireshak today if I can find anything that matches with time.
And we also have now E-mails Delaying, and Certificate prompt for Outlook client. I am not sure where are these issues comming from.
But I am not sure why these logs are not showing nothing exept the Username.
Any help will be appreciated very much,
Thank you
Did the user who was terminated have a blackberry or smart phone? Sounds more like an automated thing going on trying to login. Wireshark would be a good way to look. If you can figure out from the DMZ server if they are trying SMTP or a web page like OWA then you can turn on better logging.
ASKER
Yes I think the ip address in log files in OWA from showed Verizon wireless so I agree the user looks like has the IMAP/Pop probably setup in smart phone, but in this case that's not what I am worried about, these exchange logs are scaring me b/c I cannot see where is coming from.
And today looks like is very quiet i have nothing Failure, but could this occur calling Exchange Services from Internal or external? Any idea why there are no information exept the user name which is trying to logon, is it using some software, I have never seen these logs before.
Subject:
Security ID: NETWORK SERVICE
Account Name: XXXXXEX1$
Account Domain: XXX
Logon ID: 0x3e4
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: candy
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0xd88
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.e xe
Network Information:
Workstation Name: XXXXXXEX1
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Transited Services: -
Package Name (NTLM only): -
Key Length:
And today looks like is very quiet i have nothing Failure, but could this occur calling Exchange Services from Internal or external? Any idea why there are no information exept the user name which is trying to logon, is it using some software, I have never seen these logs before.
Subject:
Security ID: NETWORK SERVICE
Account Name: XXXXXEX1$
Account Domain: XXX
Logon ID: 0x3e4
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: candy
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0xd88
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.e
Network Information:
Workstation Name: XXXXXXEX1
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Transited Services: -
Package Name (NTLM only): -
Key Length:
ASKER
How do I turn on Better logging?
Thanks for your help.
Thanks for your help.
Hi,
As your OWA is in a DMZ, does the outer firewall show anything?
Regards,
RobMobility
As your OWA is in a DMZ, does the outer firewall show anything?
Regards,
RobMobility
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The solution was partially, but Ideas were great.