To get more detailed information I enabled Kerberos logging and this
is what I get:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 13:46:44.0000 4/27/2010 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN.LOCAL
Server Name: host/dru001.domain.local
Target Name: host/dru001.domain.local@newsgroup
Error Text:
File: 9
Line: b22
Error Data is in record data.


I'm getting quite a lot of these accompanied by :

Pre-authentication failed:
User Name: Administrator
User ID: DOMAIN\Administrator
Service Name: krbtgt/DOMAIN
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1



and

Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: DOMAIN
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: DRU001
Caller User Name: DRU001$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6240
Transited Services: -
Source Network Address: 61.63.91.172
Source Port: 1706


The IP is external and has nothing to do with the client. I can't
check what PID 6240 is as it doesn't exist any more. 0x18 means
invalid pre-authentication usually meaning bad password. Right, so
someone's trying. My question is why the firs two logs look like they
were coming from the server itself. Could it be already compromised or
is it something else?
yaro

On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137
<yaro137@newsgroup> wrote:

>To get more detailed information I enabled Kerberos logging and this
>is what I get:
>A Kerberos Error Message was received:
> on logon session
> Client Time:
> Server Time: 13:46:44.0000 4/27/2010 Z
> Error Code: 0xd KDC_ERR_BADOPTION
> Extended Error: 0xc00000bb KLIN(0)
> Client Realm:
> Client Name:
> Server Realm: DOMAIN.LOCAL
> Server Name: host/dru001.domain.local
> Target Name: host/dru001.domain.local@newsgroup
> Error Text:
> File: 9
> Line: b22
> Error Data is in record data.
>
>
>I'm getting quite a lot of these accompanied by :
>
>Pre-authentication failed:
> User Name: Administrator
> User ID: DOMAIN\Administrator
> Service Name: krbtgt/DOMAIN
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 127.0.0.1
>
>and
>
>Logon Failure:
> Reason: Unknown user name or bad password
> User Name: administrator
> Domain: DOMAIN
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: DRU001
> Caller User Name: DRU001$
> Caller Domain: DOMAIN
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 6240
> Transited Services: -
> Source Network Address: 61.63.91.172
> Source Port: 1706
>
>
>The IP is external and has nothing to do with the client. I can't
>check what PID 6240 is as it doesn't exist any more. 0x18 means
>invalid pre-authentication usually meaning bad password. Right, so
>someone's trying. My question is why the firs two logs look like they
>were coming from the server itself. Could it be already compromised or
>is it something else?
>yaro

Nslookup says it's a Twaiwan name.

Name: 61-63-91-host172.kbtelecom.net.tw
Address: 61.63.91.172

You can also use http://www.ip2location.com to find IP locations.

My suggestion is to simply block the IP, or if you don't do any
business with Taiwan, deny the whole Taiwan IP block.

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]"
<ace...@newsgroup> wrote:

> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137
>
>
>
> <yaro...@newsgroup> wrote:

> >To get more detailed information I enabled Kerberos logging and this
> >is what I get:
> >A Kerberos Error Message was received:
> > * * * * on logon session
> > Client Time:
> > Server Time: 13:46:44.0000 4/27/2010 Z
> > Error Code: 0xd KDC_ERR_BADOPTION
> > Extended Error: 0xc00000bb KLIN(0)
> > Client Realm:
> > Client Name:
> > Server Realm: DOMAIN.LOCAL
> > Server Name: host/dru001.domain.local
> > Target Name: host/dru001.domain.lo...@newsgroup
> > Error Text:
> > File: 9
> > Line: b22
> > Error Data is in record data.

>

> >I'm getting quite a lot of these accompanied by :

>

> >Pre-authentication failed:
> > * *User Name: * * *Administrator
> > * *User ID: * * * * * * * *DOMAIN\Administrator
> > * *Service Name: * krbtgt/DOMAIN
> > * *Pre-Authentication Type: * * * *0x2
> > * *Failure Code: * 0x18
> > * *Client Address: 127.0.0.1

>

> >and

>

> >Logon Failure:
> > * *Reason: * * * * Unknown user name or bad password
> > * *User Name: * * *administrator
> > * *Domain: * * * * DOMAIN
> > * *Logon Type: * * 10
> > * *Logon Process: *User32
> > * *Authentication Package: Negotiate
> > * *Workstation Name: * * * DRU001
> > * *Caller User Name: * * * DRU001$
> > * *Caller Domain: *DOMAIN
> > * *Caller Logon ID: * * * *(0x0,0x3E7)
> > * *Caller Process ID: * * *6240
> > * *Transited Services: * * -
> > * *Source Network Address: 61.63.91.172
> > * *Source Port: * *1706

>

> >The IP is external and has nothing to do with the client. I can't
> >check what PID 6240 is as it doesn't exist any more. 0x18 means
> >invalid pre-authentication usually meaning bad password. Right, so
> >someone's trying. My question is why the firs two logs look like they
> >were coming from the server itself. Could it be already compromised or
> >is it something else?
> >yaro

>
> Nslookup says it's a Twaiwan name.
>
> Name: * *61-63-91-host172.kbtelecom.net.tw
> Address: *61.63.91.172
>
> You can also usehttp://www.ip2location.comto find IP locations.
>
> My suggestion is to simply block the IP, or if you don't do any
> business with Taiwan, deny the whole Taiwan IP block.
>
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.

It wouldn't be easy doing in IIS. Unless there is some config file I
don't know of. I'm still not sure why it looks local in the first two
logs. Thanks
yaro

On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137
<yaro137@newsgroup> wrote:

>On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]"
><ace...@newsgroup> wrote:

>> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137
>>
>>
>>
>> <yaro...@newsgroup> wrote:

>> >To get more detailed information I enabled Kerberos logging and this
>> >is what I get:
>> >A Kerberos Error Message was received:
>> > * * * * on logon session
>> > Client Time:
>> > Server Time: 13:46:44.0000 4/27/2010 Z
>> > Error Code: 0xd KDC_ERR_BADOPTION
>> > Extended Error: 0xc00000bb KLIN(0)
>> > Client Realm:
>> > Client Name:
>> > Server Realm: DOMAIN.LOCAL
>> > Server Name: host/dru001.domain.local
>> > Target Name: host/dru001.domain.lo...@newsgroup
>> > Error Text:
>> > File: 9
>> > Line: b22
>> > Error Data is in record data.

>>

>> >I'm getting quite a lot of these accompanied by :

>>

>> >Pre-authentication failed:
>> > * *User Name: * * *Administrator
>> > * *User ID: * * * * * * * *DOMAIN\Administrator
>> > * *Service Name: * krbtgt/DOMAIN
>> > * *Pre-Authentication Type: * * * *0x2
>> > * *Failure Code: * 0x18
>> > * *Client Address: 127.0.0.1

>>

>> >and

>>

>> >Logon Failure:
>> > * *Reason: * * * * Unknown user name or bad password
>> > * *User Name: * * *administrator
>> > * *Domain: * * * * DOMAIN
>> > * *Logon Type: * * 10
>> > * *Logon Process: *User32
>> > * *Authentication Package: Negotiate
>> > * *Workstation Name: * * * DRU001
>> > * *Caller User Name: * * * DRU001$
>> > * *Caller Domain: *DOMAIN
>> > * *Caller Logon ID: * * * *(0x0,0x3E7)
>> > * *Caller Process ID: * * *6240
>> > * *Transited Services: * * -
>> > * *Source Network Address: 61.63.91.172
>> > * *Source Port: * *1706

>>

>> >The IP is external and has nothing to do with the client. I can't
>> >check what PID 6240 is as it doesn't exist any more. 0x18 means
>> >invalid pre-authentication usually meaning bad password. Right, so
>> >someone's trying. My question is why the firs two logs look like they
>> >were coming from the server itself. Could it be already compromised or
>> >is it something else?
>> >yaro

>>
>> Nslookup says it's a Twaiwan name.
>>
>> Name: * *61-63-91-host172.kbtelecom.net.tw
>> Address: *61.63.91.172
>>
>> You can also usehttp://www.ip2location.comto find IP locations.
>>
>> My suggestion is to simply block the IP, or if you don't do any
>> business with Taiwan, deny the whole Taiwan IP block.
>>
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.

>
>It wouldn't be easy doing in IIS. Unless there is some config file I
>don't know of. I'm still not sure why it looks local in the first two
>logs. Thanks
>yaro

I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM,
Protocols, SMTP, Default Virtual Server properties, second tab,
access, and block the IP in there. In ASBS 2008, it's in the Server,
Transport, Receive Connector.

Ace

On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]"
<ace...@newsgroup> wrote:

> On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137
>
>
>
> <yaro...@newsgroup> wrote:

> >On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]"
> ><ace...@newsgroup> wrote:

> >> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137

>

> >> <yaro...@newsgroup> wrote:
> >> >To get more detailed information I enabled Kerberos logging and this
> >> >is what I get:
> >> >A Kerberos Error Message was received:
> >> > * * * * on logon session
> >> > Client Time:
> >> > Server Time: 13:46:44.0000 4/27/2010 Z
> >> > Error Code: 0xd KDC_ERR_BADOPTION
> >> > Extended Error: 0xc00000bb KLIN(0)
> >> > Client Realm:
> >> > Client Name:
> >> > Server Realm: DOMAIN.LOCAL
> >> > Server Name: host/dru001.domain.local
> >> > Target Name: host/dru001.domain.lo...@newsgroup
> >> > Error Text:
> >> > File: 9
> >> > Line: b22
> >> > Error Data is in record data.

>

> >> >I'm getting quite a lot of these accompanied by :

>

> >> >Pre-authentication failed:
> >> > * *User Name: * * *Administrator
> >> > * *User ID: * * * * * * * *DOMAIN\Administrator
> >> > * *Service Name: * krbtgt/DOMAIN
> >> > * *Pre-Authentication Type: * * * *0x2
> >> > * *Failure Code: * 0x18
> >> > * *Client Address: 127.0.0.1

>

> >> >and

>

> >> >Logon Failure:
> >> > * *Reason: * * * * Unknown user name or bad password
> >> > * *User Name: * * *administrator
> >> > * *Domain: * * * * DOMAIN
> >> > * *Logon Type: * * 10
> >> > * *Logon Process: *User32
> >> > * *Authentication Package: Negotiate
> >> > * *Workstation Name: * * * DRU001
> >> > * *Caller User Name: * * * DRU001$
> >> > * *Caller Domain: *DOMAIN
> >> > * *Caller Logon ID: * * * *(0x0,0x3E7)
> >> > * *Caller Process ID: * * *6240
> >> > * *Transited Services: * * -
> >> > * *Source Network Address: 61.63.91.172
> >> > * *Source Port: * *1706

>

> >> >The IP is external and has nothing to do with the client. I can't
> >> >check what PID 6240 is as it doesn't exist any more. 0x18 means
> >> >invalid pre-authentication usually meaning bad password. Right, so
> >> >someone's trying. My question is why the firs two logs look like they
> >> >were coming from the server itself. Could it be already compromised or
> >> >is it something else?
> >> >yaro

>

> >> Nslookup says it's a Twaiwan name.

>

> >> Name: * *61-63-91-host172.kbtelecom.net.tw
> >> Address: *61.63.91.172

>

> >> You can also usehttp://www.ip2location.comtofind IP locations.

>

> >> My suggestion is to simply block the IP, or if you don't do any
> >> business with Taiwan, deny the whole Taiwan IP block.

>

> >> Ace

>

> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

>

> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution..

>

> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE& MCSA 2003/2000, MCSA Messaging 2003
> >> Microsoft Certified Trainer
> >> Microsoft MVP - Directory Services

>

> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft..comforregional support phone numbers.

>

> >It wouldn't be easy doing in IIS. Unless there is some config file I
> >don't know of. I'm still not sure why it looks local in the first two
> >logs. Thanks
> >yaro

>
> I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM,
> Protocols, SMTP, Default Virtual Server properties, second tab,
> access, and block the IP in there. In ASBS 2008, it's in the Server,
> Transport, Receive Connector.
>
> Ace

It's 2003 in this case and yes, that's where you block an IP
address but I was rather hoping to find a way to block a whole block
of IP addresses rather than just a couple of them. Yesterday was that
one, probably tomorrow it will be another one. Is there a way to block
like whole country? If say I wanted to block China and Russia it won't
even be one block of addresses but quite a lot of them. Thanks
yaro

Yaro:

"I was rather hoping to find a way to block a whole block
of IP addresses rather than just a couple of them."

Most easily done in a quality edge device.... ISA, Watchguard, Sonicwall
and so on.

-
Larry
Please post the resolution to your
issue so others may benefit
-
Get Your SBS Health Check at
www.sbsbpa.com

> On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]"
> <ace...@newsgroup> wrote:
>

>> On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137
>>
>> <yaro...@newsgroup> wrote:
>>

>>> On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]"
>>> <ace...@newsgroup> wrote:
>>>
>>>> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137
>>>>
>>>> <yaro...@newsgroup> wrote:
>>>>
>>>>> To get more detailed information I enabled Kerberos logging and
>>>>> this
>>>>> is what I get:
>>>>> A Kerberos Error Message was received:
>>>>> on logon session
>>>>> Client Time:
>>>>> Server Time: 13:46:44.0000 4/27/2010 Z
>>>>> Error Code: 0xd KDC_ERR_BADOPTION
>>>>> Extended Error: 0xc00000bb KLIN(0)
>>>>> Client Realm:
>>>>> Client Name:
>>>>> Server Realm: DOMAIN.LOCAL
>>>>> Server Name: host/dru001.domain.local
>>>>> Target Name: host/dru001.domain.lo...@newsgroup
>>>>> Error Text:
>>>>> File: 9
>>>>> Line: b22
>>>>> Error Data is in record data.
>>>>> I'm getting quite a lot of these accompanied by :
>>>>>
>>>>> Pre-authentication failed:
>>>>> User Name: Administrator
>>>>> User ID: DOMAIN\Administrator
>>>>> Service Name: krbtgt/DOMAIN
>>>>> Pre-Authentication Type: 0x2
>>>>> Failure Code: 0x18
>>>>> Client Address: 127.0.0.1
>>>>> and
>>>>>
>>>>> Logon Failure:
>>>>> Reason: Unknown user name or bad password
>>>>> User Name: administrator
>>>>> Domain: DOMAIN
>>>>> Logon Type: 10
>>>>> Logon Process: User32
>>>>> Authentication Package: Negotiate
>>>>> Workstation Name: DRU001
>>>>> Caller User Name: DRU001$
>>>>> Caller Domain: DOMAIN
>>>>> Caller Logon ID: (0x0,0x3E7)
>>>>> Caller Process ID: 6240
>>>>> Transited Services: -
>>>>> Source Network Address: 61.63.91.172
>>>>> Source Port: 1706
>>>>> The IP is external and has nothing to do with the client. I can't
>>>>> check what PID 6240 is as it doesn't exist any more. 0x18 means
>>>>> invalid pre-authentication usually meaning bad password. Right, so
>>>>> someone's trying. My question is why the firs two logs look like
>>>>> they
>>>>> were coming from the server itself. Could it be already
>>>>> compromised or
>>>>> is it something else?
>>>>> yaro
>>>> Nslookup says it's a Twaiwan name.
>>>>
>>>> Name: 61-63-91-host172.kbtelecom.net.tw
>>>> Address: 61.63.91.172
>>>> You can also usehttp://www.ip2location.comtofind IP locations.
>>>>
>>>> My suggestion is to simply block the IP, or if you don't do any
>>>> business with Taiwan, deny the whole Taiwan IP block.
>>>>
>>>> Ace
>>>>
>>>> This posting is provided "AS-IS" with no warranties or guarantees
>>>> and confers no rights.
>>>>
>>>> Please reply back to the newsgroup or forum for collaboration
>>>> benefit among responding engineers, and to help others benefit from
>>>> your resolution.
>>>>
>>>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007,
>>>> MCSE & MCSA 2003/2000, MCSA Messaging 2003
>>>>
>>>> Microsoft Certified Trainer
>>>>
>>>> Microsoft MVP - Directory Services
>>>>
>>>> If you feel this is an urgent issue and require immediate
>>>> assistance, please contact Microsoft PSS directly. Please
>>>> checkhttp://support.microsoft.comforregional support phone numbers.
>>>>
>>> It wouldn't be easy doing in IIS. Unless there is some config file I
>>> don't know of. I'm still not sure why it looks local in the first
>>> two
>>> logs. Thanks
>>> yaro

>> I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM,
>> Protocols, SMTP, Default Virtual Server properties, second tab,
>> access, and block the IP in there. In ASBS 2008, it's in the Server,
>> Transport, Receive Connector.
>>
>> Ace
>>

> It's 2003 in this case and yes, that's where you block an IP
> address but I was rather hoping to find a way to block a whole block
> of IP addresses rather than just a couple of them. Yesterday was that
> one, probably tomorrow it will be another one. Is there a way to block
> like whole country? If say I wanted to block China and Russia it won't
> even be one block of addresses but quite a lot of them. Thanks
> yaro

On Wed, 28 Apr 2010 01:16:44 -0700 (PDT), yaro137
<yaro137@newsgroup> wrote:

>On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]"
><ace...@newsgroup> wrote:

>> On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137
>>
>>
>>
>> <yaro...@newsgroup> wrote:

>> >On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]"
>> ><ace...@newsgroup> wrote:
>> >> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137

>>

>> >> <yaro...@newsgroup> wrote:
>> >> >To get more detailed information I enabled Kerberos logging and this
>> >> >is what I get:
>> >> >A Kerberos Error Message was received:
>> >> > * * * * on logon session
>> >> > Client Time:
>> >> > Server Time: 13:46:44.0000 4/27/2010 Z
>> >> > Error Code: 0xd KDC_ERR_BADOPTION
>> >> > Extended Error: 0xc00000bb KLIN(0)
>> >> > Client Realm:
>> >> > Client Name:
>> >> > Server Realm: DOMAIN.LOCAL
>> >> > Server Name: host/dru001.domain.local
>> >> > Target Name: host/dru001.domain.lo...@newsgroup
>> >> > Error Text:
>> >> > File: 9
>> >> > Line: b22
>> >> > Error Data is in record data.

>>

>> >> >I'm getting quite a lot of these accompanied by :

>>

>> >> >Pre-authentication failed:
>> >> > * *User Name: * * *Administrator
>> >> > * *User ID: * * * * * * * *DOMAIN\Administrator
>> >> > * *Service Name: * krbtgt/DOMAIN
>> >> > * *Pre-Authentication Type: * * * *0x2
>> >> > * *Failure Code: * 0x18
>> >> > * *Client Address: 127.0.0.1

>>

>> >> >and

>>

>> >> >Logon Failure:
>> >> > * *Reason: * * * * Unknown user name or bad password
>> >> > * *User Name: * * *administrator
>> >> > * *Domain: * * * * DOMAIN
>> >> > * *Logon Type: * * 10
>> >> > * *Logon Process: *User32
>> >> > * *Authentication Package: Negotiate
>> >> > * *Workstation Name: * * * DRU001
>> >> > * *Caller User Name: * * * DRU001$
>> >> > * *Caller Domain: *DOMAIN
>> >> > * *Caller Logon ID: * * * *(0x0,0x3E7)
>> >> > * *Caller Process ID: * * *6240
>> >> > * *Transited Services: * * -
>> >> > * *Source Network Address: 61.63.91.172
>> >> > * *Source Port: * *1706

>>

>> >> >The IP is external and has nothing to do with the client. I can't
>> >> >check what PID 6240 is as it doesn't exist any more. 0x18 means
>> >> >invalid pre-authentication usually meaning bad password. Right, so
>> >> >someone's trying. My question is why the firs two logs look like they
>> >> >were coming from the server itself. Could it be already compromised or
>> >> >is it something else?
>> >> >yaro

>>

>> >> Nslookup says it's a Twaiwan name.

>>

>> >> Name: * *61-63-91-host172.kbtelecom.net.tw
>> >> Address: *61.63.91.172

>>

>> >> You can also usehttp://www.ip2location.comtofind IP locations.

>>

>> >> My suggestion is to simply block the IP, or if you don't do any
>> >> business with Taiwan, deny the whole Taiwan IP block.

>>

>> >> Ace

>>

>> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

>>

>> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

>>

>> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> >> Microsoft Certified Trainer
>> >> Microsoft MVP - Directory Services

>>

>> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comforregional support phone numbers.

>>

>> >It wouldn't be easy doing in IIS. Unless there is some config file I
>> >don't know of. I'm still not sure why it looks local in the first two
>> >logs. Thanks
>> >yaro

>>
>> I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM,
>> Protocols, SMTP, Default Virtual Server properties, second tab,
>> access, and block the IP in there. In ASBS 2008, it's in the Server,
>> Transport, Receive Connector.
>>
>> Ace

>
>It's 2003 in this case and yes, that's where you block an IP
>address but I was rather hoping to find a way to block a whole block
>of IP addresses rather than just a couple of them. Yesterday was that
>one, probably tomorrow it will be another one. Is there a way to block
>like whole country? If say I wanted to block China and Russia it won't
>even be one block of addresses but quite a lot of them. Thanks
>yaro

You can actually do it in there, but I second Larry's suggestion.

If you want, take a look at this site. This is way too much to entry
and overwhelm the SMTP service, but it gives you an idea of what's in
store to do something like this.
http://www.countryipblocks.net/

Ace

On 28 Apr, 14:22, "Ace Fekay [MVP - Directory Services, MCT]"
<ace...@newsgroup> wrote:

> On Wed, 28 Apr 2010 01:16:44 -0700 (PDT), yaro137
>
>
>
> <yaro...@newsgroup> wrote:

> >On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]"
> ><ace...@newsgroup> wrote:

> >> On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137

>

> >> <yaro...@newsgroup> wrote:
> >> >On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]"
> >> ><ace...@newsgroup> wrote:
> >> >> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137

>

> >> >> <yaro...@newsgroup> wrote:
> >> >> >To get more detailed information I enabled Kerberos logging and this
> >> >> >is what I get:
> >> >> >A Kerberos Error Message was received:
> >> >> > * * * * on logon session
> >> >> > Client Time:
> >> >> > Server Time: 13:46:44.0000 4/27/2010 Z
> >> >> > Error Code: 0xd KDC_ERR_BADOPTION
> >> >> > Extended Error: 0xc00000bb KLIN(0)
> >> >> > Client Realm:
> >> >> > Client Name:
> >> >> > Server Realm: DOMAIN.LOCAL
> >> >> > Server Name: host/dru001.domain.local
> >> >> > Target Name: host/dru001.domain.lo...@newsgroup
> >> >> > Error Text:
> >> >> > File: 9
> >> >> > Line: b22
> >> >> > Error Data is in record data.

>

> >> >> >I'm getting quite a lot of these accompanied by :

>

> >> >> >Pre-authentication failed:
> >> >> > * *User Name: * * *Administrator
> >> >> > * *User ID: * * * * * * * *DOMAIN\Administrator
> >> >> > * *Service Name: * krbtgt/DOMAIN
> >> >> > * *Pre-Authentication Type: * * * *0x2
> >> >> > * *Failure Code: * 0x18
> >> >> > * *Client Address: 127.0.0.1

>

> >> >> >and

>

> >> >> >Logon Failure:
> >> >> > * *Reason: * * * * Unknown user name or bad password
> >> >> > * *User Name: * * *administrator
> >> >> > * *Domain: * * * * DOMAIN
> >> >> > * *Logon Type: * * 10
> >> >> > * *Logon Process: *User32
> >> >> > * *Authentication Package: Negotiate
> >> >> > * *Workstation Name: * * * DRU001
> >> >> > * *Caller User Name: * * * DRU001$
> >> >> > * *Caller Domain: *DOMAIN
> >> >> > * *Caller Logon ID: * * * *(0x0,0x3E7)
> >> >> > * *Caller Process ID: * * *6240
> >> >> > * *Transited Services: * * -
> >> >> > * *Source Network Address: 61.63.91.172
> >> >> > * *Source Port: * *1706

>

> >> >> >The IP is external and has nothing to do with the client. I can't
> >> >> >check what PID 6240 is as it doesn't exist any more. 0x18 means
> >> >> >invalid pre-authentication usually meaning bad password. Right, so
> >> >> >someone's trying. My question is why the firs two logs look like they
> >> >> >were coming from the server itself. Could it be already compromised or
> >> >> >is it something else?
> >> >> >yaro

>

> >> >> Nslookup says it's a Twaiwan name.

>

> >> >> Name: * *61-63-91-host172.kbtelecom.net.tw
> >> >> Address: *61.63.91.172

>

> >> >> You can also usehttp://www.ip2location.comtofindIP locations.

>

> >> >> My suggestion is to simply block the IP, or if you don't do any
> >> >> business with Taiwan, deny the whole Taiwan IP block.

>

> >> >> Ace

>

> >> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

>

> >> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

>

> >> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> >> >> Microsoft Certified Trainer
> >> >> Microsoft MVP - Directory Services

>

> >> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comforregionalsupport phone numbers.

>

> >> >It wouldn't be easy doing in IIS. Unless there is some config file I
> >> >don't know of. I'm still not sure why it looks local in the first two
> >> >logs. Thanks
> >> >yaro

>

> >> I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM,
> >> Protocols, SMTP, Default Virtual Server properties, second tab,
> >> access, and block the IP in there. In ASBS 2008, it's in the Server,
> >> Transport, Receive Connector.

>

> >> Ace

>

> >It's 2003 in this case and yes, that's where you block an IP
> >address but I was rather hoping to find a way to block a whole block
> >of IP addresses rather than just a couple of them. Yesterday was that
> >one, probably tomorrow it will be another one. Is there a way to block
> >like whole country? If say I wanted to block China and Russia it won't
> >even be one block of addresses but quite a lot of them. Thanks
> >yaro

>
> You can actually do it in there, but I second Larry's suggestion.
>
> If you want, take a look at this site. This is way too much to entry
> and overwhelm the SMTP service, but it gives you an idea of what's in
> store to do something like this.http://www.countryipblocks.net/
>
> Ace

Yeah, fair enough. Thanks guys
yaro