Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2007 attack

Posted on 2013-12-09
4
Medium Priority
?
290 Views
Last Modified: 2013-12-11
We have an Exchange 2007 server that runs on Windows 2003.  We have been getting failed login attempts on the server with generic user names like john, carol, support, administrator, admin and so on.  It's sometimes a few hundred every day.

The IP address is often different, as well as the source port.  The Logon type is always 10 and logon process User32.  We have Outlook Web Access enabled on this server, as well as POP3, IMAP4 and Exchange ActiveSync.  The server has a self-signed security certificate.

Our firewall is a Cisco ASA 5505.  I am trying to find out how they get to our server through the firewall and how this can be blocked.  I am not sure of this Exchange or Server 2003 related.

Below is an example of the many events from the security log on the server.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            12/9/2013
Time:            12:18:16 PM
User:            NT AUTHORITY\SYSTEM
Computer:      EXCHANGESERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      john
       Domain:            OURDOMAINNAME
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      EXCHANGESERVER
       Caller User Name:      EXCHANGESERVER$
       Caller Domain:      OURDOMAINNAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6948
       Transited Services:      -
       Source Network Address:      61.185.215.189
       Source Port:      56841
0
Comment
Question by:rwottowa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39707408
As you have posted in your question the IP is coming from a Public IP source. I have used whatismyipaddress.com to look this IP up and it appears that 61.185.215.189 is a public IP from China.

This is more then likely an attempt to hack your system. You might want to check your firewall and see what services are open. If you have something like 3389 (rdp) or something open on your Exchange server this can create a security hold which will allow users to attempt access on your machines.

You can also use whatismyipaddress.com and put your own external IP address in there and it will discover what "services" are enabled.

Will.
0
 

Author Comment

by:rwottowa
ID: 39709960
Thanks Will, that was helpful.  I checked the firewall access rules and port 3389 was open to the email server.  It is disabled now so I'll monitor it closely and see if the attacks stop.

The IPs came from all over the world like Russia, China, Netherlands, USA and many more.   There really isn't a pattern to the origin of these attacks.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39709975
Something like this has happened to me before in other enviornments i have been exposed to. It is a huge security risk when you have 3389 opened to the outside world. I would think you should be fine now that it is being blocked by the firewall but i would monitor for the next couple of days.

Glad this helped your scenario.

Will.
0
 

Author Closing Comment

by:rwottowa
ID: 39712302
Closing 3389 (rdp) stopped the attacks right away and no new ones were recorded in the last 24 hours.  Thanks again!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question