Jason92s
asked on
Getting Excessive Failed Login Attemps on SBS 2003 Server
For the past 3 days, my security log has been giving me Failure Audits (Logon/Logoff) every minute or so. The username keeps changing. I read that OWA could be the source of the failed login attempts, but I turned off Remote Web Access and OWA, and the errors kept coming in the event log. I also read that Logon Type 3 indicates a network type of login, but we are a small company and nobody here is doing it from their computer. The "Workstation Name" is the name of our server with SBS on it. Here's a sample:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/29/2011
Time: 11:06:10 AM
User: NT AUTHORITY\SYSTEM
Computer: CSM-SBS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: bass (<--THIS KEEPS CHANGING)
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Workstation Name: MyServerName
Caller User Name: MyServerName$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6032
Transited Services: -
Source Network Address: -
Source Port: -
Any help is appreciated.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/29/2011
Time: 11:06:10 AM
User: NT AUTHORITY\SYSTEM
Computer: CSM-SBS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: bass (<--THIS KEEPS CHANGING)
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: MyServerName
Caller User Name: MyServerName$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6032
Transited Services: -
Source Network Address: -
Source Port: -
Any help is appreciated.
How did you turn off OWA and RWW?
ASKER
I shut down World Wide Web Publishing service. Read that as a suggestion on another site.
Are these real usernames from your AD domain that keep appearing, or are they completely random and fake? What other ports do you have open on the server (e.g. FTP, IMAP, POP3, etc...)? I ask because this could very well be some malicious program that's trying random usernames to authenticate.
ASKER
No real usernames so far. No FTP or POP3, but running IMAP. Not used for our website, but we do allow remote web access and OWA.
Well it certainly seems then that something is trying to crack it's way in by trying random logins. Have you already tried running anti-virus or anti-spyware programs on the server?
Also, you can try running a packet capture program (like Wireshark) to see if some network device is constantly trying to access the server in a suspicious way.
Also, you can try running a packet capture program (like Wireshark) to see if some network device is constantly trying to access the server in a suspicious way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Source network address is blank in all entries. I did notice the usernames started alphabetically with aaron or something like that and stopped and betty yesterday. Thank you.