Avatar of Farris007
Farris007
 asked on

Event Failure Secuirty concern

Hi
I have a client that has Exchange 2007 in private network, and OWA1 in DMZ. We are oviusly under some kind off brute force or DDOS attack, but I cannot determine where this is comming the log is not really showing me logs of info, as I provided the log below ( XXX marks are for protection of server name and domain). We use Kaspersky as Antivirus.
This attacker is using diiferent Usernames, such as: Manager, Candy, Power, and so on. But there is no IP workstation name (except log is showing same Server name)

I need help ASAP, any idea will be appreciated.

Thank you very much.

 An account failed to log on.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            XXXXXEX1$
      Account Domain:            XXXXX
      Logon ID:            0x3e4

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            power
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0xd88
      Caller Process Name:      C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe

Network Information:
      Workstation Name:      XXXXXEX1
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

Exchange

Avatar of undefined
Last Comment
Farris007

8/22/2022 - Mon
DMTechGrooup

Are you getting alot of these or only a handful?  Have you determined if they are trying to use like SMTP or are actually trying to log into OWA?  Have you checked the logs of the machine in the DMZ?
Farris007

ASKER
Hi,

I get this log every like hour or less on Exchange that has Stores,  I see that is trying to call many different services, in this case is :
C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe
the other log will be C:\Program Files\Microsoft\Exchange Server\Bin\Store.exe and other services as well.

In Owa (which is on DMZ) I have also checked and I see the IP and the username that is trying to log on, and that is from a User that was terminated which his\her account is disabled, and that's like every 1 minute that is trying to authenticate.
I am running wireshak today if I can find anything that matches with time.
And we also have now E-mails Delaying, and Certificate prompt for Outlook client. I am not sure where are these issues comming from.

But I am not sure why these logs are not showing nothing exept the Username.

Any help will be appreciated very much,

Thank you
DMTechGrooup

Did the user who was terminated have a blackberry or smart phone?  Sounds more like an automated thing going on trying to login.  Wireshark would be a good way to look.  If you can figure out from the DMZ server if they are trying SMTP or a web page like OWA then you can turn on better logging.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Farris007

ASKER
Yes I think the ip address in log files in OWA from showed Verizon wireless so I agree the user looks like has the IMAP/Pop probably setup in smart phone, but in this case that's not what I am worried about, these exchange logs are scaring me b/c I cannot see where is coming from.

And today looks like is very quiet i have nothing Failure, but could this occur calling Exchange Services from Internal or external? Any idea why there are no information exept the user name which is trying to logon, is it using some software, I have never seen these logs before.

Subject:

Security ID: NETWORK SERVICE

Account Name: XXXXXEX1$

Account Domain: XXX
Logon ID: 0x3e4

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: candy

Account Domain:

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xc000006d

Sub Status: 0xc0000064

Process Information:

Caller Process ID: 0xd88

Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe

Network Information:

Workstation Name: XXXXXXEX1

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Transited Services: -

Package Name (NTLM only): -

Key Length:

Farris007

ASKER
How do I turn on Better logging?

Thanks for your help.
Rob Knight

Hi,

As your OWA is in a DMZ, does the outer firewall show anything?

Regards,


RobMobility
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
DMTechGrooup

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Farris007

ASKER
The solution was partially, but Ideas were great.