Who's guessing passwords? - source of invalid logins to inetinfo, SBS2003

Hello,
I am desperately trying to identify from where someone tries to login to our
sbs2003 server.
I'm getting several hundreds of event id 529 entries in security log,
spanning 30-40 minute interval, all share this info:
Username: (here someone guesses random names)
Login type: 3
Logon Process: Advapi
Workstation name: <my_server_name>
Username: <my_server_name$>
Source network address: <empty> It'd be nice if it wasn't
PID: <inetinfo_pid_always>

I thought since it always is about inetinfo, these invalid logons would be
listed in IIS log files, but they are not.
By the way, the first in a chain of these logon attempts also generates
eventid 1706 from MSExchangeTransport in application log.

I've read somewhere about debugging exchange for the purpose of identifying
failed logons but i don't want to do that, i'd like to see a log in any
format that would be containing source address or machine name

Please help me identify source of these attacks.
--
Regards
Krzysztof Barski

"Krzysztof Barski" <> wrote in message
news:#...
> Hello,
> I am desperately trying to identify from where someone tries to login to
> our sbs2003 server.
> I'm getting several hundreds of event id 529 entries in security log,
> spanning 30-40 minute interval, all share this info:
> Username: (here someone guesses random names)
> Login type: 3
> Logon Process: Advapi
> Workstation name: <my_server_name>
> Username: <my_server_name$>
> Source network address: <empty> It'd be nice if it wasn't
> PID: <inetinfo_pid_always>
>
> I thought since it always is about inetinfo, these invalid logons would be
> listed in IIS log files, but they are not.
> By the way, the first in a chain of these logon attempts also generates
> eventid 1706 from MSExchangeTransport in application log.
>
> I've read somewhere about debugging exchange for the purpose of
> identifying failed logons but i don't want to do that, i'd like to see a
> log in any format that would be containing source address or machine name
>
> Please help me identify source of these attacks.
> --
> Regards
> Krzysztof Barski
>
I haven't seen these for a while, but I think it turned out to be attempts
to authenticate with the SMTP server. You can enable SMTP logging and you
may find further details there. I eventually decided there wasn't any point
to trying. The attack source rarely stays constant for long. In my case, I
had a flurry of such attacks for a week or two at a time, and then they
stopped. Occasionally they occur again, but never for long.

"Paul Shapiro" <> wrote in a message
news:...
> I haven't seen these for a while, but I think it turned out to be attempts
> to authenticate with the SMTP server. You can enable SMTP logging and you
> may find further details there. I eventually decided there wasn't any
> point to trying. The attack source rarely stays constant for long. In my
> case, I had a flurry of such attacks for a week or two at a time, and then
> they stopped. Occasionally they occur again, but never for long.

Thanks for the answer, Paul
I will be logging some more smtp stuff, then. I need to see it logged at
least once just to be sure that it really is thru smtp not an in-house job
by some unexpectedly "skillful" employee.

Get 'EventSentry Light' (free edition) and install it. We are using it and
it's great.

"Krzysztof Barski" <> wrote in message
news:%...
> Hello,
> I am desperately trying to identify from where someone tries to login to
> our sbs2003 server.
> I'm getting several hundreds of event id 529 entries in security log,
> spanning 30-40 minute interval, all share this info:
> Username: (here someone guesses random names)
> Login type: 3
> Logon Process: Advapi
> Workstation name: <my_server_name>
> Username: <my_server_name$>
> Source network address: <empty> It'd be nice if it wasn't
> PID: <inetinfo_pid_always>
>
> I thought since it always is about inetinfo, these invalid logons would be
> listed in IIS log files, but they are not.
> By the way, the first in a chain of these logon attempts also generates
> eventid 1706 from MSExchangeTransport in application log.
>
> I've read somewhere about debugging exchange for the purpose of
> identifying failed logons but i don't want to do that, i'd like to see a
> log in any format that would be containing source address or machine name
>
> Please help me identify source of these attacks.
> --
> Regards
> Krzysztof Barski
>