All,

A customer notified us that someone / something tried to log into one of
their servers repeatedly but failed. It appears to be some sort of
script since it tried 6 usernames with 23 passwords in under 2 minutes.
The event log is a typical 529 event ID. The logon type was 3 (network)
and the logon process was advapi. I generally see this when someone
tries to log in to IIS using cleartext authentication. There is no
evidence in the w3svc logs of these attempts. There were no successful
logins using that logon process.

This server is an Exchange server with port 25 accessible from the
Internet. I have verified this is the only port open by scan and
firewall rules.

1. Can anyone access the advapi (or any domain login process) over port
25 on an Exchange server? I did not think that SMTP AUTH could do that..

2. What other common programs use the advapi call for authentication?

The usernames that were tried are webmaster, admin, root, test, master,
web. Each one was tried in that order with 23 passwords, all failed.

3. Does anyone know what script / app / virus / worm that could be?

Any insights??

Thanks,

--Chris

[ reply ]