smtp event - strange

smtp event - strange

Post by Shan » Sat, 30 Mar 2002 00:30:12



Hi there,

Running Exchange 5.5 w/ Sp4 on a NT 4.0 w/ Sp6a.

Just noticed a strange log in even viewer.

EventID: 4184

Authentication attempt (Auth ntlm) from

xxx.xxx.xxx.xxx failed. HrAccept() call

failed with error: Logon failure: unknown user

name or bad password.

xxx.xxx.xxx.xxx is an IP address somewhere outside

my network

I couldn't find any KB article on this from MS site.

Has anyone seen this? What does this mean? being hacked?

Thanks

 
 
 

smtp event - strange

Post by Kirill S. Palagi » Sat, 30 Mar 2002 20:16:01


What is the source of that event?


> Hi there,

> Running Exchange 5.5 w/ Sp4 on a NT 4.0 w/ Sp6a.

> Just noticed a strange log in even viewer.

> EventID: 4184

> Authentication attempt (Auth ntlm) from

> xxx.xxx.xxx.xxx failed. HrAccept() call

> failed with error: Logon failure: unknown user

> name or bad password.

> xxx.xxx.xxx.xxx is an IP address somewhere outside

> my network

> I couldn't find any KB article on this from MS site.

> Has anyone seen this? What does this mean? being hacked?

> Thanks

--
Corrections are welcome.
Please keep all discussions in NG, so that everybody can participate.

Kirill

 
 
 

smtp event - strange

Post by Shan » Sun, 31 Mar 2002 02:48:52


HI Krill,

The source of this event is: MSExchangeIMC
Event ID: # 4184
Type: Error

I tried to search for this in MS KB, but no articles.
What do you think?
Thanks
Shane



> What is the source of that event?


> > Hi there,

> > Running Exchange 5.5 w/ Sp4 on a NT 4.0 w/ Sp6a.

> > Just noticed a strange log in even viewer.

> > EventID: 4184

> > Authentication attempt (Auth ntlm) from

> > xxx.xxx.xxx.xxx failed. HrAccept() call

> > failed with error: Logon failure: unknown user

> > name or bad password.

> > xxx.xxx.xxx.xxx is an IP address somewhere outside

> > my network

> > I couldn't find any KB article on this from MS site.

> > Has anyone seen this? What does this mean? being hacked?

> > Thanks

> --
> Corrections are welcome.
> Please keep all discussions in NG, so that everybody can participate.

> Kirill

 
 
 

smtp event - strange

Post by Rich Matheisen [MVP » Sun, 31 Mar 2002 08:04:17



>EventID: 4184
>Authentication attempt (Auth ntlm) from
>xxx.xxx.xxx.xxx failed. HrAccept() call
>failed with error: Logon failure: unknown user
>name or bad password.
>xxx.xxx.xxx.xxx is an IP address somewhere outside
>my network

>I couldn't find any KB article on this from MS site.

>Has anyone seen this? What does this mean? being hacked?

Do you have port 139 blocked at the firewall?

It's probably another Exchange server that's trying to use NTLM to
authenticate with your system.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm