Getting Excessive Failed Login Attemps on SBS 2003 Server

For the past 3 days, my security log has been giving me Failure Audits (Logon/Logoff) every minute or so.  The username keeps changing.  I read that OWA could be the source of the failed login attempts, but I turned off Remote Web Access and OWA, and the errors kept coming in the event log.  I also read that Logon Type 3 indicates a network type of login, but we are a small company and nobody here is doing it from their computer.  The "Workstation Name" is the name of our server with SBS on it.   Here's a sample:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            12/29/2011
Time:            11:06:10 AM
User:            NT AUTHORITY\SYSTEM
Computer:      CSM-SBS
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      bass (<--THIS KEEPS CHANGING)
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MyServerName
       Caller User Name:      MyServerName$
       Caller Domain:      MyDomain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6032
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Any help is appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
How did you turn off OWA and RWW?
Jason92sAuthor Commented:
I shut down World Wide Web Publishing service.  Read that as a suggestion on another site.
Are these real usernames from your AD domain that keep appearing, or are they completely random and fake?  What other ports do you have open on the server (e.g. FTP, IMAP, POP3, etc...)?  I ask because this could very well be some malicious program that's trying random usernames to authenticate.  
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Jason92sAuthor Commented:
No real usernames so far.  No FTP or POP3, but running IMAP.   Not used for our website, but we do allow remote web access and OWA.
Well it certainly seems then that something is trying to crack it's way in by trying random logins.  Have you already tried running anti-virus or anti-spyware programs on the server?  

Also, you can try running a packet capture program (like Wireshark) to see if some network device is constantly trying to access the server in a suspicious way.
Cliff GaliherCommented:
Shutting down WWW publishing won't prevent IIS from processing login attempts. Instead try turning off the rules that are forwarding ports 80 and 443 from your network edge to your SBS server. Then SBS will not be getting any web based traffic and you can narrow down the cause. If the problem goes away then it does indeed mean someone from outside is bouncing random attempts off RWW/OWA to brute-force hack. The good news is that as long as you have strong password policies enforced, even a brute force attempt would take *years* and hackers will move on to softer targets frist. Those attempts can be safely ignored.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Is the source network address blank in all the entries or have you seen an actual IP listed in some.
It looks as though you may have someone trying to use RDP to hit and log in to your server and as mentioned obviously they could be hitting RWW.
Check your port redirects for 3389 and try shutting it down for a while to see if it continues.
Could also have a compromised desktop within the network that is then trying to remote into the server. verify your network is clean and locked down.
You definitely have someone running an attack against you. Try matching up log entries with firewall/ router logs and it could lead you to the culprit.
If you have the ability on your firewall you can then explicitly block the IP's being used assuming you are able to identify any.
Jason92sAuthor Commented:
Source network address is blank in all entries.  I did notice the usernames started alphabetically with aaron or something like that and stopped and betty yesterday.  Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.