Server hacking and audit

  • Thread starter Thread starter Ash Dey
  • Start date Start date
A

Ash Dey

Hi,

I am monitoring my mail server (not a Domain Controller,
running Windows 2000 SP4 and Exchnage 2000 SP3) and
recording Eevent 681 in every minute. I guess some
malicious application is running either on the mail
server or one of the client computers. The event
description is as follows:

The logon to account: userid_here
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: mail_server_name_here
failed. The error code was: 3221225572

I have consulted KB article 273499, it says bad logon
attempt from down level client will result in event 681
in the DC. However, I am getting it in the server which
is not a DC.

Is there any way I can trace which application or from
which workstation it is being tried? As per the event
monitor it is attempted from the mail server itself.
However, I cannot notice any suspecious process in the
task manager of my mail server.

Any comments or suggestion will be appreciated.

Ash
 
Hi Ash.

I don't know what the problem is but you may want to also enable auditing on
logon events for failure also if you are not already in addition to account
logon events which may give you failure events with more information. Maybe
a service account, scheduled task, or mapped drive is constantly causing
this by using an account with a changed password?? I know an Exchange
server can be a real busy machine but if possible try disconnecting it from
the network for five minutes to see if the failures stop which may help
pinpoint if this is a coming from a network machine or not. You may also
want to use Process Explorer and TCPView which are free tools from
SysInternals to further examine processes. --- Steve

http://www.microsoft.com/technet/tr...l/windowsserver2003/proddocs/standard/518.asp
http://tinyurl.com/p4ve -- same link as above, shorter. --- Explains logon
events auditing.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
 
Thanks Steve for your posting. I will be auditing the
account logon events as suggested.

The user id which is giving me continuous failure events
has a mailbox and I have disabled that account. I have
disabled few other accounts with mail boxes. However I am
getting the logon failure event from only one particular
account. This account is not a service account.

Ash
 
Thanks Steve for your reply. By auditing the account
logon events I could finally trace that the logon type is
type 3 i.e. network logon. Have traced the machine from
where it was attempted.

Ash
 
Back
Top