Solved

security event log

Posted on 2013-01-27
10
885 Views
Last Modified: 2013-02-07
Dear Members,

Event log belonging to a exchange server (and a domain controller) recorded some activity which we consider as suspicious. Could you please tell me whether these logs belong to an attack (what type) or not.

Thanks and regards
0
Comment
Question by:oner_hamali
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 4

Expert Comment

by:milikad
ID: 38824028
what is the event?
0
 

Author Comment

by:oner_hamali
ID: 38824051
Enclosed in the reply, please find the logs.

--------------------------------------------------------------------------------------------


Audit Failure,1/26/2013 7:44:06 PM,Microsoft-Windows-Security-Auditing,4625,Logon,"An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            EXCHANGE$
      Account Domain:            ******************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******************
      Source Network Address:      ******************
      Source Port:            6841

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

-------------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:35 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      7002
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"

-----------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:34 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      6999
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"
logs.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824068
Hi
Event 5152 is indicating packet drop for ICMP
Check the firewall settings on the server. I  am assuming that you have exchange server installed on DC. If Exchnage is running on windows 2008/R2, then ensure that firewall service is running and if you have any third party firewall configured internally then check with the vendor
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 4

Expert Comment

by:milikad
ID: 38824074
Check below link to check if you have WFP enabled on the server and disable the same and it will help. Event 5152 is seen if we have WFP enabled on the server

Enable IPsec and Windows Firewall Audit Events
http://technet.microsoft.com/en-us/library/cc754714.aspx
0
 
LVL 4

Accepted Solution

by:
milikad earned 500 total points
ID: 38824088
As far as event 4625 is concern it gets logged when access network and sharing center as it tries to check if guest account is enabled for network access. So can be ignored.

Additionally you can check this link

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/
0
 

Author Comment

by:oner_hamali
ID: 38824103
Firewall is running for domain, home, work profiles. This has the default settings, and the output from the command is included in the attached file.
audit-policy-output.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824106
Let the windows firewall service be running, you can turn off firewall for all these 3 profiles
0
 

Author Comment

by:oner_hamali
ID: 38824107
Another log for event 4625 is the following. Does this entail that a person is trying to probe the machine for file sharing or similar services and trying  to enter user name and password.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/26/2013 8:32:55 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ******************
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            Administrator
      Account Domain:            *************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824258
Check if if is coming from the specific IP only
Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909
and try to turn off that workstation and check if things are working fine.

even refer this,
The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
http://support.microsoft.com/kb/2157973
0
 

Author Comment

by:oner_hamali
ID: 38865658
Thanks for the help.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question