Solved

security event log

Posted on 2013-01-27
10
842 Views
Last Modified: 2013-02-07
Dear Members,

Event log belonging to a exchange server (and a domain controller) recorded some activity which we consider as suspicious. Could you please tell me whether these logs belong to an attack (what type) or not.

Thanks and regards
0
Comment
Question by:oner_hamali
  • 6
  • 4
10 Comments
 
LVL 4

Expert Comment

by:milikad
ID: 38824028
what is the event?
0
 

Author Comment

by:oner_hamali
ID: 38824051
Enclosed in the reply, please find the logs.

--------------------------------------------------------------------------------------------


Audit Failure,1/26/2013 7:44:06 PM,Microsoft-Windows-Security-Auditing,4625,Logon,"An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            EXCHANGE$
      Account Domain:            ******************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******************
      Source Network Address:      ******************
      Source Port:            6841

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

-------------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:35 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      7002
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"

-----------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:34 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      6999
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"
logs.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824068
Hi
Event 5152 is indicating packet drop for ICMP
Check the firewall settings on the server. I  am assuming that you have exchange server installed on DC. If Exchnage is running on windows 2008/R2, then ensure that firewall service is running and if you have any third party firewall configured internally then check with the vendor
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824074
Check below link to check if you have WFP enabled on the server and disable the same and it will help. Event 5152 is seen if we have WFP enabled on the server

Enable IPsec and Windows Firewall Audit Events
http://technet.microsoft.com/en-us/library/cc754714.aspx
0
 
LVL 4

Accepted Solution

by:
milikad earned 500 total points
ID: 38824088
As far as event 4625 is concern it gets logged when access network and sharing center as it tries to check if guest account is enabled for network access. So can be ignored.

Additionally you can check this link

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:oner_hamali
ID: 38824103
Firewall is running for domain, home, work profiles. This has the default settings, and the output from the command is included in the attached file.
audit-policy-output.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824106
Let the windows firewall service be running, you can turn off firewall for all these 3 profiles
0
 

Author Comment

by:oner_hamali
ID: 38824107
Another log for event 4625 is the following. Does this entail that a person is trying to probe the machine for file sharing or similar services and trying  to enter user name and password.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/26/2013 8:32:55 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ******************
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            Administrator
      Account Domain:            *************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824258
Check if if is coming from the specific IP only
Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909
and try to turn off that workstation and check if things are working fine.

even refer this,
The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
http://support.microsoft.com/kb/2157973
0
 

Author Comment

by:oner_hamali
ID: 38865658
Thanks for the help.
0

Featured Post

Will my email signature work in Office 365?

You've built an email signature using raw HTML code in Office 365, but you can't review how it looks with Transport Rules. So you have to test it over and over again before it can be used. Isn't this a bit of a waste of your time? Wouldn't a WYSIWYG editor make it a lot easier?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video discusses moving either the default database or any database to a new volume.

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now