Unidentified Invalid Logons in Security Log
Geoff Davis
The security event log is filling up with the following failure events
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 09/04/2007
Time: 14:44:21
User: NT AUTHORITY\SYSTEM
Computer: PE400SC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: info
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: 'Internal Domain Name'
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2036
Transited Services: -
Source Network Address: -
Source Port: -
The things I know are this:
1) Caller Process ID 2036 is inetinfo.exe - relate to Internet
Information Services
2) If I disable the incomming Router Firewall Service for SMTP the
errors stop, I have stopped the service for over a day but once
restarted the errors start appearing again.
3) The router also has the necessary services to allow for remote
access but it is only the SMTP service that affects the errors.
Is this an external attack or something else? and how does one go
about identifying where its coming from.
Regards
Geoff Davis
![Jacky Luo [MSFT]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Jacky Luo [MSFT]
Thanks for posting here.
From your problem description, I understand this issue to be: you receive
security event 529 on your SBS 2k3 server. If I am off base, please do not
hesitate to let me know.
According to the security event content, I suspect that this could be a
possible attack. In the event logs, the Logon type 3 is interpreted to
network logon. This is a most common type that will be generated when you
access a computer from elsewhere on the network by shared folders, printer,
or IIS.
So, the most possible cause could be someone was trying to logon your SBS
server through IIS resource, such as OWA and RWW with different username
and password combinations, but failed. Also known from the event content,
the user name which the “bad guy” used to log to your server is “info”. I
think this user does not exist on your network. So, this could also be some
bad robots on the internet and try different server logon with dictionary
attack.
Regarding this situation, I would like to give the following suggestions:
1.perform a clean boot.
a. Click Start -> Run
b. Input msconfig and click OK.
c. Click Service Tab and check Hide all Microsoft Services and click
Disable All.
d. Click Startup Tab and click Disable All.
e. Click OK and reboot the computer and test again.
Please test this issue in the Clean Boot environment
2. Please enforce the strong password policy and make sure passwords are
well managed throughout your network.
3. If 529 is only for “info” account constantly and this account exists in
your domain, please disable this account for security concern.
4. Make sure the SBS websites are all SSL enabled (this is by default
settings), such as OWA and RWW. Clear text password should be encrypted by
SSL communication for safety.
5. More information:
Securing Your Windows Small Business Server 2003 Network
http://download.microsoft.com/download/1/f/1/1f15a874-f696-4992-b5ad-b1e7b25
8de1c/SecuringSBSnetwork.doc
In addition,please let me know the following information:
1.Is the server name "server"?
2.Does the info user exist?
3.%systemroot%\System32\config\SecEvent.Evt,please compress the file and
send to me at v-j...@microsoft.com
I appreciate your time. I am happy to be of assistance and look forward to
your reply.
Have a nice day!
Best regards,
Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting
from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Geoff Davis
wrote:
> 8de1c/SecuringSBSnetwork.doc
>
> In addition,please let me know the following information:
>
> 1.Is the server name "server"?
>
> 2.Does the info user exist?
>
> 3.%systemroot%\System32\config\SecEvent.Evt,please compress the file and
>
> I appreciate your time. I am happy to be of assistance and look forward to
> your reply.
>
> Have a nice day!
>
> Best regards,
>
> Jacky Luo (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! -www.microsoft.com/security
>
> ====================================================
>
> PLEASE NOTE: The partner managed newsgroups are provided to
>
> assist with break/fix issues and simple how to questions.
>
> We also love to hear your product feedback! Let us know what you think by
>
> posting
>
> from the web interface: Partner Feedback
>
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
>
> We look forward to hearing from you!
>
> ====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader
>
> so that others may learn and benefit from this issue.
>
> ====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
Jacky
Thanks for the response
I've not tackled your suggestions in items 1 to 4 yet but the
information you requested is as follows
1) Server name is not "SERVER" but I do have another customer who has
set his server name to SERVER - do you think this will cause a
problem.
2) Yes Info does exist
3) Hopefully by now you will have received the file you requested
Thanks again
Geoff Davis
Jacky Luo [MSFT]
Thanks for posting back.
because the info exists, you can ask the user whether he access network
source by OWA,RWW,shared folder on server, if not,may someone try his
password,then you should enforce the strong password policy and make sure
passwords are well managed throughout your network.
If the event is sporadic,not frequent, It is likely that the user enter the
wrong password himself. you can just ignore the event. and you can keep an
eye on this event,to see how often it is.
In the security log,you can check the source network address to identify
the client
Furthermore,I have not received your email,please send to me at
v-j...@microsoft.com
%systemroot%\System32\config\SecEvent.Evt,please compress the file and send
to me at v-j...@microsoft.com
Have a nice day!
Best regards,
Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting
from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================
Geoff Davis
wrote:
> Hi Geoff,
>
> Thanks for posting back.
>
> because the info exists, you can ask the user whether he access network
> source by OWA,RWW,shared folder on server, if not,may someone try his
> password,then you should enforce the strong password policy and make sure
> passwords are well managed throughout your network.
>
> If the event is sporadic,not frequent, It is likely that the user enter the
> wrong password himself. you can just ignore the event. and you can keep an
> eye on this event,to see how often it is.
>
> In the security log,you can check the source network address to identify
> the client
>
> Furthermore,I have not received your email,please send to me at
>
> %systemroot%\System32\config\SecEvent.Evt,please compress the file and send
>
> Have a nice day!
>
> Best regards,
>
> Jacky Luo (MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! -www.microsoft.com/security
> ====================================================
> PLEASE NOTE: The partner managed newsgroups are provided to
> assist with break/fix issues and simple how to questions.
> We also love to hear your product feedback! Let us know what you think by
> posting
>
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
>
> We look forward to hearing from you!
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader
> so that others may learn and benefit from this issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ====================================================
Jacky
Thanks for the further response.
The user Info only exists to catch email addressed to info@...
No one actually uses the info account. If I could ask the user I
would. As you said in your previous reply this is definetly an
attack, The same Security Log Error is occuring repetatively at randon
time intervals and at least 3 per hour and have been doing so for at
least the last 7 days. As you can see from the error message in my
original post there is no source network address.
I originally sent the email to ...@microsoft.com but your 'profile'
says it is ...@online.microsoft.com so I have sent it again to the
latter.
Regards
Geoff Davis
Geoff Davis
> says it is ....@online.microsoft.com so I have sent it again to the
> latter.
>
> Regards
>
> Geoff Davis- Hide quoted text -
>
> - Show quoted text -
Jacky
Email to ...online.microsoft.com has bounced back as "Host unknown
(Name server: online.microsoft.com"
I will send it again to the microsoft.com address
Geoff
Jacky Luo [MSFT]
Thanks for posting back.
I think the most possible cause could be someone was trying to logon your
SBS server through IIS resource, such as OWA and RWW with info, but failed.
Please Send the most recent IIS log files to me for analysis. To do so,
please go to C:\WINDOWS\system32\LogFiles, compress the W3SVC1 folder and
send the zip file to me.
324279 HOW TO: Configure Web Site Logging in Windows Server 2003
http://support.microsoft.com/?id=324279
Please send security log and IIS log to me at v-j...@microsoft.com
Geoff Davis
wrote:
> Hi Geoff,
>
> Thanks for posting back.
>
> I think the most possible cause could be someone was trying to logon your
> SBS server through IIS resource, such as OWA and RWW with info, but failed.
>
> Please Send the most recent IIS log files to me for analysis. To do so,
> please go to C:\WINDOWS\system32\LogFiles, compress the W3SVC1 folder and
> send the zip file to me.
>
>
> Please send security log and IIS log to me at v-ja...@microsoft.com
>
> Have a nice day!
>
> Best regards,
>
> Jacky Luo (MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! -www.microsoft.com/security
> ====================================================
> PLEASE NOTE: The partner managed newsgroups are provided to
> assist with break/fix issues and simple how to questions.
> We also love to hear your product feedback! Let us know what you think by
> posting
>
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
>
> We look forward to hearing from you!
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader
> so that others may learn and benefit from this issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ====================================================
Jacky
Thanks for helping me out on this.
The attempted logins have now stopped. When I checked the 'Exchange
Features' setup for Info they had been set as per the other normal
users i.e. Outlook Web Acccess etc were all enabled. It seems that
once I changed these to disabled the attack ceased.
I'm not sure why this should be because, as I undestand it, this only
stops access to the accnt, it does not stop anyone trying to log in on
with that account name. Unless of course SBS responds differently and
the attacker receives a different error response when the account is
disabled for Web Access. This would tell the attacker that info is
now blocked completely and they may as well give up.
Do you have any ideas on this?
Anyway, a lesson learnt.
Thanks again for your help
Geoff Davis
Jacky Luo [MSFT]
Thanks for posting back.
you are right,after you diable the OWA for info,the hacker receive the "you
are not authorized to view this page",he know the account have been
disabled OWA,so he give up the guess of password. if you do not disable
OWA,the hacker always have three chances to guess the password,he can
constantly guess info's password. and after you disabled OWA,he have no
chance to guess the password,so he give up, so the attempted logins have
now stopped.
you can try to use info to logon OWA,then you will also view the error page
http 403(forbidden) at once
So we find the root cause is someone are trying to guess the password of
info
and I am glad to hear the attempted logins have now stopped after you
disable OWA for info.
if you have any question,please let me know.