Event ID:529 SBS security problem

Hi All,

I have an SBS2003 SP2 server, we use Outlook Web Access over port 443
(https). For months now I keep getting logon failures particulary
during the night, these look like the below:

Logon Failure:
Reason: Unknown user name or bad password
User Name: info
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: (server name)
Caller User Name: (server name$)
Caller Domain: (domain)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1820
Transited Services: -
Source Network Address: -
Source Port: -

I cannot see any outside IP address that I can trace, it can be
anything from 5 to 100 bad logins with different usernames. I tried
running a syslog on our DSL router then searching for port 443 in the
txt file it creates but I couldnt find anything.

Have any of you the same problem? Is there anything I can do to stop
this?

Thanks in advance for any help you can give.

DNolan.

Larry
Fri Mar 28 04:35:52 PDT 2008

Hi:

I don't know how you would stop a zombie from trying your perminiter
security. That is what they do. They test and probe. If you have a strong
pass phrase policy, peferable 15 or more chacters and change them on a
regular basis, zombies running a dictionary attack are not likely to break
in.

My Cat c@ugHt 10 miCe! is a strong pass phrase, easy to remember,
impossible to break in a dictionary attack, particularly if you have a 3 (or
5) strikes and lock policy..

Even with a true firewall, Watchguard, Sonic Wall, Cisco, Permiter ISA, you
cannont "stop" the probes.

Leythos has posted more than once a long list of IP ranges that he blocks in
every SBS installation. Seems like a reasonable thing. Put this group into
name order and look through his posts.

There are two factor authenication methods wherein you must present a
password and another secure id before you can authenticate. Here is a link
to one:

http://www.scorpionsoft.com/

--
Larry

Please post the resolution to
your issue so that all can benefit.


"DNolan" <daranolan@eircom.net> wrote in message
news:41cc346d-8c54-4fa5-9243-3d5673b4c0e2@i29g2000prf.googlegroups.com...
> Hi All,
>
> I have an SBS2003 SP2 server, we use Outlook Web Access over port 443
> (https). For months now I keep getting logon failures particulary
> during the night, these look like the below:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: info
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: (server name)
> Caller User Name: (server name$)
> Caller Domain: (domain)
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1820
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> I cannot see any outside IP address that I can trace, it can be
> anything from 5 to 100 bad logins with different usernames. I tried
> running a syslog on our DSL router then searching for port 443 in the
> txt file it creates but I couldnt find anything.
>
> Have any of you the same problem? Is there anything I can do to stop
> this?
>
> Thanks in advance for any help you can give.
>
> DNolan.

Marina
Fri Mar 28 06:54:16 PDT 2008

Hi D,

You are looking in the wrong log, most likely these are relay attempts, so
you should be looking in the SMTP log if you have that turned on.

--
Regards,

Marina Roos
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum: http://www.smallbizserver.net/Default.aspx?tabid=53
"DNolan" <daranolan@eircom.net> wrote in message
news:41cc346d-8c54-4fa5-9243-3d5673b4c0e2@i29g2000prf.googlegroups.com...
> Hi All,
>
> I have an SBS2003 SP2 server, we use Outlook Web Access over port 443
> (https). For months now I keep getting logon failures particulary
> during the night, these look like the below:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: info
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: (server name)
> Caller User Name: (server name$)
> Caller Domain: (domain)
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1820
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> I cannot see any outside IP address that I can trace, it can be
> anything from 5 to 100 bad logins with different usernames. I tried
> running a syslog on our DSL router then searching for port 443 in the
> txt file it creates but I couldnt find anything.
>
> Have any of you the same problem? Is there anything I can do to stop
> this?
>
> Thanks in advance for any help you can give.
>
> DNolan.

DNolan
Tue Apr 01 01:12:03 PDT 2008

Hi Guys,

Many thanks for the replies. I have turned on SMTP logging on my
server, what excatly should I be looking for in the log to see if
someone is 'probing' our server?

Thanks,

D.

Marina
Tue Apr 01 01:42:53 PDT 2008

Hi D

Check the smtp logs at the times that you are getting the security errors.

--
Regards,

Marina Roos
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum: http://www.smallbizserver.net/Default.aspx?tabid=53
"DNolan" <daranolan@eircom.net> wrote in message
news:4f75f9dd-7dd6-4b2e-a250-248fabd72f07@e67g2000hsa.googlegroups.com...
> Hi Guys,
>
> Many thanks for the replies. I have turned on SMTP logging on my
> server, what excatly should I be looking for in the log to see if
> someone is 'probing' our server?
>
> Thanks,
>
> D.

Larry
Tue Apr 01 03:42:50 PDT 2008

Hi D:

Would appreciate your posting back after you sort through all the logs and
letting us know how the information gained is helpful.

--
Larry

Please post the resolution to
your issue so that all can benefit.


"Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in message
news:OIOc6R9kIHA.5820@TK2MSFTNGP04.phx.gbl...
> Hi D
>
> Check the smtp logs at the times that you are getting the security errors.
>
> --
> Regards,
>
> Marina Roos
> Microsoft SBS-MVP
> One of the Magical M&M's
> www.smallbizserver.net
> Take part in SBS forum:
> http://www.smallbizserver.net/Default.aspx?tabid=53
> "DNolan" <daranolan@eircom.net> wrote in message
> news:4f75f9dd-7dd6-4b2e-a250-248fabd72f07@e67g2000hsa.googlegroups.com...
>> Hi Guys,
>>
>> Many thanks for the replies. I have turned on SMTP logging on my
>> server, what excatly should I be looking for in the log to see if
>> someone is 'probing' our server?
>>
>> Thanks,
>>
>> D.
>
>

DNolan
Mon Apr 07 01:17:50 PDT 2008

Hi Guys,

Thank you again for your help, I think you were right, it looks like
romeone is trying to relay through our server, I checked the SMTP log
at the times I was getting the security log error and this is what I
found:

05:05:07 59.58.153.240 RCPT - 503
05:05:07 59.58.153.240 RCPT - 503
05:05:07 59.58.153.240 RCPT - 503
05:05:07 59.58.153.240 RCPT - 503
05:05:07 59.58.153.240 RCPT - 503
05:05:07 59.58.153.240 RCPT - 503
05:05:12 59.58.153.240 RCPT - 503
05:05:12 59.58.153.240 RCPT - 503
05:05:12 59.58.153.240 DATA - 503
05:05:12 59.58.153.240 DATA - 503
05:05:12 59.58.153.240 RCPT - 503
05:05:12 59.58.153.240 DATA - 503
05:05:12 59.58.153.240 RCPT - 503
05:05:12 59.58.153.240 RCPT - 503
05:05:12 59.58.153.240 DATA - 503
05:05:12 59.58.153.240 RCPT - 503
05:05:12 59.58.153.240 DATA - 503
05:05:18 59.58.153.240 RCPT - 503
05:05:18 59.58.153.240 DATA - 503
05:05:18 59.58.153.240 QUIT - 240
05:05:18 59.58.153.240 QUIT - 240
05:05:18 59.58.153.240 QUIT - 240
05:05:18 59.58.153.240 QUIT - 240
05:05:18 59.58.153.240 QUIT - 240



To me that looks like they were trying to logon to relay but the
server was saying 'no'. Is it worth following something like this up
or should I just let it go?

Thanks,

DNolan.

Larry
Mon Apr 07 05:46:27 PDT 2008

You can test for open relay your self:

http://support.microsoft.com/kb/304897

SBS and Exchange 2003 are set to not relay by default. You would have to
open it yourself. If it is open, and you did not do it, and no one else in
your organization did it, then you have been compromised.

However, I have seen one, and it is not pretty. Mail flows through like
Niagara Falls. You can hear the server's drives churn with all the
activity. There may be more advanced zombies that work for only a few
minutes, but even then, they would send thousands.

--
Larry

Please post the resolution to
your issue so that all can benefit.


"DNolan" <daranolan@eircom.net> wrote in message
news:26b9f380-f761-44cf-9e15-c7fa86fe0849@y21g2000hsf.googlegroups.com...
> Hi Guys,
>
> Thank you again for your help, I think you were right, it looks like
> romeone is trying to relay through our server, I checked the SMTP log
> at the times I was getting the security log error and this is what I
> found:
>
> 05:05:07 59.58.153.240 RCPT - 503
> 05:05:07 59.58.153.240 RCPT - 503
> 05:05:07 59.58.153.240 RCPT - 503
> 05:05:07 59.58.153.240 RCPT - 503
> 05:05:07 59.58.153.240 RCPT - 503
> 05:05:07 59.58.153.240 RCPT - 503
> 05:05:12 59.58.153.240 RCPT - 503
> 05:05:12 59.58.153.240 RCPT - 503
> 05:05:12 59.58.153.240 DATA - 503
> 05:05:12 59.58.153.240 DATA - 503
> 05:05:12 59.58.153.240 RCPT - 503
> 05:05:12 59.58.153.240 DATA - 503
> 05:05:12 59.58.153.240 RCPT - 503
> 05:05:12 59.58.153.240 RCPT - 503
> 05:05:12 59.58.153.240 DATA - 503
> 05:05:12 59.58.153.240 RCPT - 503
> 05:05:12 59.58.153.240 DATA - 503
> 05:05:18 59.58.153.240 RCPT - 503
> 05:05:18 59.58.153.240 DATA - 503
> 05:05:18 59.58.153.240 QUIT - 240
> 05:05:18 59.58.153.240 QUIT - 240
> 05:05:18 59.58.153.240 QUIT - 240
> 05:05:18 59.58.153.240 QUIT - 240
> 05:05:18 59.58.153.240 QUIT - 240
>
>
>
> To me that looks like they were trying to logon to relay but the
> server was saying 'no'. Is it worth following something like this up
> or should I just let it go?
>
> Thanks,
>
> DNolan.