none
Failed Logins - Event ID 4625 - Possible brute force attack?

    질문

  • Hi everyone, and thanks for any response in advance! 

    We are getting one of these failed logon attempts every 15 seconds on the server:

    We are running Windows Server 2008, and Exchange 2007.
    The usernames vary, "candy, admin, administrator, alex, scanner, etc...." it goes on and on

    It says the source is not one from the network (no IP and port info), but what appears to be a local process edgetransport.exe

    Not even sure if it's a legit process, as I have failed to find any info on it. It is in the exchange folder.

    Please see the error info below:

    ------------------------------------------------------------------------------------------------------------

    An account failed to log on.


    Subject:
    Security ID: NETWORK SERVICE
    Account Name: <<our server name>>$
    Account Domain: <<Our Local Domain Name>>
    Logon ID: 0x3e4


    Logon Type: 3


    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: power
    Account Domain:


    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc0000064


    Process Information:
    Caller Process ID: 0x2358
    Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe


    Network Information:
    Workstation Name: <<Our server name>>
    Source Network Address: -
    Source Port: -


    Detailed Authentication Information:
    Logon Process: Advapi  
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    2012년 2월 29일 수요일 오후 3:04

답변

모든 응답

  • Any ideas? Anyone? Am I on the right forum?

    I am somewhat afraid this is a ticking time-bomb.

    2012년 2월 29일 수요일 오후 5:08
  • Am I right in concluding that those user names do not belong to any of your users?

    What is the service pack on your Windows server and for Exchange?

    And most importantly, are you running an Edge Transport server?

    Otherwise, edgetransport.exe can be found on both Edge and Hub Transport servers.

    It is located in the C:\Program Files\Microsoft\Exchange Server\bin folder.

    I'm not sure why it is causing these errors for you though.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    2012년 2월 29일 수요일 오후 6:34
  • How many events you are tracking a day and is it at a specific time? Try running  packet capture to get more information of the originating Ip address. 

    It looks like a script kiddie trying to run a dictionary attack may be with conjunction with a brute force, if you have IPSec policy enabled you can block incoming traffic whose network packet headers are modified which in your case may be the issue. Mostly these kind of attack are not successful (if you have not left any security setting to default) it can only cause panic for some time. 

    2012년 2월 29일 수요일 오후 8:19
  • Right, there are other ones like "Iloveyou" and "123456" etc...

    Windows Server is patched to SP2, and the Exchange 2007 version is  08.02.0176.002 if that helps. 

    Honestly this company recently hired me, and I have never worked with Exchange before. What does the Edge Transport server do exactly? And yes, it is running from that folder.

    2012년 3월 1일 목요일 오후 5:01
  • Every 15 seconds, all day, every day for the past three days. 
    I can't seem to pinpoint where the traffic is coming from. All it says in the event is a local process.
    I know we use OWA so perhaps they are trying to login to our mail server? If so, what type of traffic should I be looking for. 

    Thanks guys for your help and advice!


    • 편집됨 Matthew Bills 2012년 3월 1일 목요일 오후 5:04
    2012년 3월 1일 목요일 오후 5:03
  • And thank you so much for posting.
    2012년 3월 1일 목요일 오후 5:03
  • You need a IDS/IPS system to secure your exchange.
    2012년 3월 3일 토요일 오후 12:08
  •  

    Hi Matthew,

    As this issue is related to Exchange Server, for quick and accurate response to the question, I suggest you also ask in Exchange Server forum. The support professional there are more familiar with it and can help you in a more efficient way.

    Exchange Server forum:

    http://social.technet.microsoft.com/Forums/en/category/exchangeserver/

    Regards,

    Bruce

    • 답변으로 표시됨 Bruce-Liu 2012년 3월 8일 목요일 오전 6:17
    2012년 3월 5일 월요일 오전 8:58
  • Hi.

    Since it is targeted at C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe I think theyre trying to use the SMTP AUTH . i.e. the reciver on the Exchange server 

    As someone wrote earlier, an IDS/IPS helps you in this scenario since it's actually quite difficult to do anything about all thos brut-force attempts.

    We've had thousand of them targeted at our servers and earlier we used a few .vbs scripts and powershell scripts but they were not advanced enogh so we ended up with wring one of our own really. 

    We'll be releasing it publically shortly actually if anyones interested .

    www.syspeace.com 

    2012년 7월 8일 일요일 오전 9:53