I am currently having trouble with what is obviously a dictionary attack on what I assume is my Exchange Server. I am running Server 2003 R2SP2 with Exchange 2007 SP1. We are behind a PIX firewall router. In my security logs for this server I've found a series of entries like this that run several times a second for varying lengths of time. The User Name runs the gamut of likely usernames: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 5/19/2009 Time: 6:51:31 PM User: NT AUTHORITY\SYSTEM Computer: XXSERVERX Description: Logon Failure: Reason: Unknown user name or bad password User Name: snort Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: XXSERVERX Caller User Name: XXSERVERX$ Caller Domain: MST Caller Logon ID: (0x0,0x3E7) Caller Process ID: 6028 Transited Services: - Source Network Address: - Source Port: - Logon Type 3 indicates that the logon is coming from within the network, but due to the time of the event I have my doubts. I've seen references to Advapi being used as the logon process for these attacks but found no real conclusion what it was about. Process ID 6028 is the Microsoft Exchange POP3 service on my machine. I'm not positive what is going on here. I've turned on POP3 logging to try and catch the IP address next time, but I'm not confident that that is what is really going on. Any advice on how to go about finding where this is coming from and what to do about it? Thanks, -Chad

Hello Chad,Doesn't seem like hacking. It might be backup/drive sharing related..Do you have backup running on server/workstaion XXSERVERX? Look more into this machine and if it is a backup server, then it might be a service or an earlier used net share. May be credential was used to map drive in networkAt command prompt, try net use and ifyou seedevive , delete with net use /delete. Also look into your sharss and active sessions.Isaac Oben MCITP:EA, MCSE

Hello Issac and Chad, I have seen this issue with one of my client. THe possible reason might be conficker virus which is trying to cause an account lockout. Chad try to trace the client on your local pc discconet from the LAN and try to remove the Virus. Please let us know and keep posting. Thanks http://technetfaqs.wordpress.com

If/when they try again I hope to be able to trace them with POP3 logging and if it is local I'll give that machine a scrubbing. Thanks, -Chad

Why dont you try placing an IDS in front of the exchange server and put the IDS in an ALERT_FAST mode just to get to know what's going on behind.....You can also try open source IDS like Snort along with BASE or ACID to pin-point the origin of the attack if it is an attack....:)Please do post your feedback here....Regards, KOWSHAL H.M. a.k.a W@R10CK

Cimbrog,Are you sure one of your network guys isn't trying out Netcat/Snort tooling to test vulnerabilities?The workstation name is XXSERVERX and the called user name is XXSERVERX$... that looks the tool might be running under local system... what is that machine?Regards,Mylo

Just to follow up, It happened again and I checked the POP3 logs and found it was coming from outside after all. That IP address has been banned (for all the good it will do since they'll probably just use a different one next time). Incidentally, I am running a script/service on my FTP server that bans any IP address when a certain number of failed logins occur after a certain amount of time. I haven't been able to find anything similar for POP3. I'm pretty sure I could adjust the script to detect an attack from the POP3 logs, but I don't know how to get it to ban the IP from a script. (The FTP script bans via IIS.) If anyone has advice in this area it would be appreciated. Thanks for the advice, everyone. -Chad