Exchange 2007 attack
Posted on 2013-12-09
We have an Exchange 2007 server that runs on Windows 2003. We have been getting failed login attempts on the server with generic user names like john, carol, support, administrator, admin and so on. It's sometimes a few hundred every day.
The IP address is often different, as well as the source port. The Logon type is always 10 and logon process User32. We have Outlook Web Access enabled on this server, as well as POP3, IMAP4 and Exchange ActiveSync. The server has a self-signed security certificate.
Our firewall is a Cisco ASA 5505. I am trying to find out how they get to our server through the firewall and how this can be blocked. I am not sure of this Exchange or Server 2003 related.
Below is an example of the many events from the security log on the server.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Time: 12:18:16 PM
User: NT AUTHORITY\SYSTEM
Reason: Unknown user name or bad password
User Name: john
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: EXCHANGESERVER
Caller User Name: EXCHANGESERVER$
Caller Domain: OURDOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6948
Transited Services: -
Source Network Address: 18.104.22.168
Source Port: 56841