Hack attempts on IMC? 1

[snowghost]

I had this apparent hack attempt from somewhere in the South Pacific logged in Event Viewer for the Exchange Server IMC. The category is "SMTP Interface" with Events ID 4183. The text is as follows:

"Authentication attempt (AUTH LOGIN) from 211.158.76.185 as \abc failed: LogonUser() call failed with error: Logon failure: unknown user name or bad password."

Can somebody tell me what exactly is trying to be exploited, i.e. would that be an attempt to log into a mailbox with ESMTP? If I block outbound ports 135-139 will that eliminate the ability to try and log on?

TIA

EB

 

[godcom]

What is happening is that some ESMTP server is trying Auth with your server. As they do not have a valid logon to your system, the attemp fails and is logged to your event log. Try sending an email to the other domain admin and asking him to stp trying to auth with your server.

for more info, go to

http://www.eventid.net

and look up eventID 4183

 

[bigdog92]

It sounds like someone is trying to find an open account to gain access to your server with. usually they do this to send spam through. You should turn your logging on for your imc and then go to event viewer and filter out all events except for ones with these id's:

This section enables logging in the Windows Event Viewer such that any authentication attempts against the SMTP service (successful or failures) are logged in the application log.
Start Exchange Administrator.
Double-click Servers.
Under Servers, right-click ServerName, and then click Properties.
Click the Diagnostic Logging tab.
Click MSExchangeTransport on the left.
On the right, click SMTP Protocol.
Under Logging Level, click Maximum.
Click OK to close Server Properties.
If a remote user is authenticating against the Small Business Server computer as part of an operation to relay SMTP e-mail, you will see an event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:13:24 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was company\username.

In this case, if the relaying appears to come from a hacked account password, go to the Active Directory Users and Computers snap-in and delete the account, disable the account, or change the password on the account.

If a remote user is authenticating against the Small Business Server as part of an operation to relay SMTP e-mail using the guest account, you will see an event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:27:52 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was COMPANY\Guest.

In this case, the remote user is exploiting the guest account. Use the Active Directory Users and Computers snap-in to disable the guest account. Note It is not sufficient to change the password on the guest account. You must disable the guest account.


also see this:

http://support.microsoft.com/?kbid=324958

 

[DColcl]

I have the same problem after shutting down that dude that was using our server as a relay. found out that the <local> admin account was blank and he was exploiting that. Once I corrected the issue, they still try to get in, but are denied permission.

Danny