Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

security event log

Posted on 2013-01-27
10
Medium Priority
?
920 Views
Last Modified: 2013-02-07
Dear Members,

Event log belonging to a exchange server (and a domain controller) recorded some activity which we consider as suspicious. Could you please tell me whether these logs belong to an attack (what type) or not.

Thanks and regards
0
Comment
Question by:oner_hamali
  • 6
  • 4
10 Comments
 
LVL 4

Expert Comment

by:milikad
ID: 38824028
what is the event?
0
 

Author Comment

by:oner_hamali
ID: 38824051
Enclosed in the reply, please find the logs.

--------------------------------------------------------------------------------------------


Audit Failure,1/26/2013 7:44:06 PM,Microsoft-Windows-Security-Auditing,4625,Logon,"An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            EXCHANGE$
      Account Domain:            ******************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******************
      Source Network Address:      ******************
      Source Port:            6841

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

-------------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:35 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      7002
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"

-----------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:34 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      6999
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"
logs.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824068
Hi
Event 5152 is indicating packet drop for ICMP
Check the firewall settings on the server. I  am assuming that you have exchange server installed on DC. If Exchnage is running on windows 2008/R2, then ensure that firewall service is running and if you have any third party firewall configured internally then check with the vendor
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:milikad
ID: 38824074
Check below link to check if you have WFP enabled on the server and disable the same and it will help. Event 5152 is seen if we have WFP enabled on the server

Enable IPsec and Windows Firewall Audit Events
http://technet.microsoft.com/en-us/library/cc754714.aspx
0
 
LVL 4

Accepted Solution

by:
milikad earned 1000 total points
ID: 38824088
As far as event 4625 is concern it gets logged when access network and sharing center as it tries to check if guest account is enabled for network access. So can be ignored.

Additionally you can check this link

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/
0
 

Author Comment

by:oner_hamali
ID: 38824103
Firewall is running for domain, home, work profiles. This has the default settings, and the output from the command is included in the attached file.
audit-policy-output.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824106
Let the windows firewall service be running, you can turn off firewall for all these 3 profiles
0
 

Author Comment

by:oner_hamali
ID: 38824107
Another log for event 4625 is the following. Does this entail that a person is trying to probe the machine for file sharing or similar services and trying  to enter user name and password.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/26/2013 8:32:55 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ******************
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            Administrator
      Account Domain:            *************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824258
Check if if is coming from the specific IP only
Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909
and try to turn off that workstation and check if things are working fine.

even refer this,
The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
http://support.microsoft.com/kb/2157973
0
 

Author Comment

by:oner_hamali
ID: 38865658
Thanks for the help.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question