rwottowa
asked on
Exchange 2007 attack
We have an Exchange 2007 server that runs on Windows 2003. We have been getting failed login attempts on the server with generic user names like john, carol, support, administrator, admin and so on. It's sometimes a few hundred every day.
The IP address is often different, as well as the source port. The Logon type is always 10 and logon process User32. We have Outlook Web Access enabled on this server, as well as POP3, IMAP4 and Exchange ActiveSync. The server has a self-signed security certificate.
Our firewall is a Cisco ASA 5505. I am trying to find out how they get to our server through the firewall and how this can be blocked. I am not sure of this Exchange or Server 2003 related.
Below is an example of the many events from the security log on the server.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/9/2013
Time: 12:18:16 PM
User: NT AUTHORITY\SYSTEM
Computer: EXCHANGESERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: john
Domain: OURDOMAINNAME
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: EXCHANGESERVER
Caller User Name: EXCHANGESERVER$
Caller Domain: OURDOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6948
Transited Services: -
Source Network Address: 61.185.215.189
Source Port: 56841
The IP address is often different, as well as the source port. The Logon type is always 10 and logon process User32. We have Outlook Web Access enabled on this server, as well as POP3, IMAP4 and Exchange ActiveSync. The server has a self-signed security certificate.
Our firewall is a Cisco ASA 5505. I am trying to find out how they get to our server through the firewall and how this can be blocked. I am not sure of this Exchange or Server 2003 related.
Below is an example of the many events from the security log on the server.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/9/2013
Time: 12:18:16 PM
User: NT AUTHORITY\SYSTEM
Computer: EXCHANGESERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: john
Domain: OURDOMAINNAME
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: EXCHANGESERVER
Caller User Name: EXCHANGESERVER$
Caller Domain: OURDOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6948
Transited Services: -
Source Network Address: 61.185.215.189
Source Port: 56841
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Something like this has happened to me before in other enviornments i have been exposed to. It is a huge security risk when you have 3389 opened to the outside world. I would think you should be fine now that it is being blocked by the firewall but i would monitor for the next couple of days.
Glad this helped your scenario.
Will.
Glad this helped your scenario.
Will.
ASKER
Closing 3389 (rdp) stopped the attacks right away and no new ones were recorded in the last 24 hours. Thanks again!
ASKER
The IPs came from all over the world like Russia, China, Netherlands, USA and many more. There really isn't a pattern to the origin of these attacks.