i need to know where this is being generated on my server....username is usually webmaster, although sometimes different..heres a log of what happens, usually every week or so....""1059079","11-May-2009 17:07:43 BST","DNTL","NT Event Log","2030","1","?","60","11-May-2009 16:51:12 BST","cemid51","10.176.20.6","W","N","Notice","20","R","?","AUTHV_Remote_Login","by_User_via_Remote_Connection","webmaster","?","0","?","Security","Security","?","5.1.2.26","Server 2003 Service Pack 2","CE-ES.CO.UK","0","1510","?","Security","Logon Failure:; Reason: Unknown user name or bad password; User Name: webmaster; Domain:; Logon Type: 3; Logon Process: Advapi ; Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0; Workstation Name: CEMID51; Caller User Name: CEMID51$; Caller Domain: CEES; Caller Logon ID: (0x0,0x3E7); Caller Process ID: 2176; Transited Services: -; Source Network Address: -; Source Port: -","Failure Audit","529","Logon/Logoff; ","CEMID51","?","?","?","?","?","webmaster","?","3","Advapi","MICROSOFT_AUTHENTICATION_PACKAGE_V1_0","CEMID51","CEMID51$","CEES","(0x0,0x3E7)","2176","?","?","?",no username of webmaster exists..., sometimes tries username "company" too, with exact same log details....also adminwetsui, rooteyraw, testwtese.right before one attempt, i get this in my exchange smtp logs..2009-05-11 16:08:18 58.63.144.123 bohuang SMTPSVC1 CEMID51 10.176.20.6 0 QUIT - bohuang 240 5844 SMTP - -2009-05-11 16:08:19 58.63.144.123 bohuang SMTPSVC1 CEMID51 10.176.20.6 0 EHLO - +bohuang 250 0 SMTP - -this ip is on a blacklist, and is from china...process id points to inteinfo. every time this login attempt happens..any help appreciated..

Do you have a worksation on your LAN with IP 10.176.20.6 Named CEMID51? Miguel Fra Falcon ITS Miami, FL

yes, thats the machine in question, its an exchange 2003 server...logs are from itself...no spyware/virus on server too, scanned 3 times..

OK, here's a place to start, If user name changes from webmaster to root to admin to administrator, etc, it may be a brute force attack, they are simply guessing combos of logins and PW's. If your router has a packet filter, look through the logs to see traffic flow so you can pinpoint their origin, if your router's log files are not that detailed, install a packet sniffer like Omnipeek. (www.wildpackets.com) Try closing FTP, RDP, HTTPS (Webmail) and any other ports that are listening for a remote logon credentials. See if that stops the Logon Failures, if it does, it's likely a brute force attack trying to guess your password. Make sure your password is strong, it should not be a word found in the dictionary and it should contain 7+ characters including special one characters. If its a remote WAN attacker, you can use the packet filter rules on your router to block traffic from their network and report them to their ISP. If your router does not have this ability, SonicWall or Multitech routers are relatively inexpensive and they do have a packet filter rulebook. If the attacker in within your network, it's likely a worm or virus or an inside hack job. Since it's likely that the RDP attempts are also the same use you have identified in the SMTP logs, I think the easiest thing is to block inbound traffic from their IP address. Miguel Fra Falcon IT Services Miguel Fra Falcon ITS Miami, FL

yes thanks for those comments i'll do just that..but i want to know if the logs are from that ip address i posted....and the user is not admin, or root, ...its adminwetsui, rootwswer, and dwirinfa....its very strange....only happens once every few weeks......i need to report on where there coming from....inetinfo.exe is the process id...but looking through the w3svc logs there is nothing to go on, ...i just need to report on what/why these attacts are happening..my server is behind a firewall and the only rule allowed through is on port25.webmaster specifically is trying to logon for the past year, once every week or so, ..just lately though, adminwetsui, company, rootsewes, or variants of that are trying...nobody heard of this at all?tried logging a fault with MS, but its easier to penetrate the pentagon i reckon....that ip in my logs of 58.63.144.123 is losted as a spammer... it does look like it is a spammer trying to gain access also, is this common?

yes, typically the attacks I have seen use admin, root, administrator. I have never seen adminwetsui or the like.Sounds likeyou have atough nut to crack. Google returns NULL on those login UID's.I just noticed Logon Type 3, which is an over the LAN network logon typically trying to acces shared folders, so maybe coming from within the LAN.Ithink packet sniffer will get you more details.Miguel Miguel Fra Falcon ITS Miami, FL

Hi Guys,It's been a while since the last post but I wanted to contribute, as I am also having this problem lately as well at one of my client sites. All symptoms the same as hardman - unusual usernames, inetinfo source process. I haven't got smtp logging enabled so will turn that on and see what infoI get from the logs. Will let you guys know if I get anywhere with this. My guess is either a spammer or someone who has an infected PC which is doing this.Cheers,Jacob

Hi,Also, check that there aren't any services that someone set up prior and use that username/password as credentials. An example might bea remote backup of a network share, etc.MiguelMiguel Fra www.falconits.com

Hi Guys,I know this one is old news but I think I may have resolved this one. Turned on SMTP logging and related the time of the logon attempts to similar attempted connections in the SMTP logs.You need to stop spammers being able to even attempt a connection to your email server - we did this by moving to a hosted mail gateway, MailGuard, and only allowing SMTP connections from their servers. All other SMTP connections are dropped.We haven't had any funny logon attempts since then!Cheers,Jacob