Server hacking and audit

A

Ash Dey

Hi,

I am monitoring my mail server (not a Domain Controller,
running Windows 2000 SP4 and Exchnage 2000 SP3) and
recording Eevent 681 in every minute. I guess some
malicious application is running either on the mail
server or one of the client computers. The event
description is as follows:

The logon to account: userid_here
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: mail_server_name_here
failed. The error code was: 3221225572

I have consulted KB article 273499, it says bad logon
attempt from down level client will result in event 681
in the DC. However, I am getting it in the server which
is not a DC.

Is there any way I can trace which application or from
which workstation it is being tried? As per the event
monitor it is attempted from the mail server itself.
However, I cannot notice any suspecious process in the
task manager of my mail server.

Any comments or suggestion will be appreciated.

Ash
 
S

Steven L Umbach

Hi Ash.

I don't know what the problem is but you may want to also enable auditing on
logon events for failure also if you are not already in addition to account
logon events which may give you failure events with more information. Maybe
a service account, scheduled task, or mapped drive is constantly causing
this by using an account with a changed password?? I know an Exchange
server can be a real busy machine but if possible try disconnecting it from
the network for five minutes to see if the failures stop which may help
pinpoint if this is a coming from a network machine or not. You may also
want to use Process Explorer and TCPView which are free tools from
SysInternals to further examine processes. --- Steve

http://www.microsoft.com/technet/tr...l/windowsserver2003/proddocs/standard/518.asp
http://tinyurl.com/p4ve -- same link as above, shorter. --- Explains logon
events auditing.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
 
A

Ash Dey

Thanks Steve for your posting. I will be auditing the
account logon events as suggested.

The user id which is giving me continuous failure events
has a mailbox and I have disabled that account. I have
disabled few other accounts with mail boxes. However I am
getting the logon failure event from only one particular
account. This account is not a service account.

Ash
 
A

Ash Dey

Thanks Steve for your reply. By auditing the account
logon events I could finally trace that the logon type is
type 3 i.e. network logon. Have traced the machine from
where it was attempted.

Ash
 
S

Steven Umbach

Thanks for posting back with what worked and glad you tracked it down. ---
Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Failure Audits in Event log question 1
Failure Audit Question 2
Security log in Event Viewer shows Failure Audits from other pcs???? 6
Security Event Log Failure Audit 681 3
Event 529 and 681 5
Failure Audit 1
Failure Audit 2
Security Event ID 529 & 681 / source= outside domains 1

Top