I am running an sbs server 2003.
I am getting several login failures everyday.
The user accounts do not exist on our domain.
Reason: Unknown user name or bad password
User Name: office
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: xxxxxxx
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 27500
Transited Services: -
Source Network Address: -
The alerts are very similiar except for the username, they are basic names like, ftp, webadmin, fax.
We were getting even more and varied alerts until I removed rdp at the server and blocked it at the firewall.
Furthermore, a few months ago there was an issue where the Exchange server was sending out hundreds of thousands of spam emails, because someone hijacked it. That issue is resolved.
I've run malwarebytes and trend micro scans but didn't find anything.
Finally, I did notice a random user profile folder and AD user that was just 4 numbers, in the download folder within the profile there was hacking software. I have disabled that user.