Attempted Attack - Can't Determine Method
- I have recently upgraded to SBS R2 with ISA Server 2004 and have noticed several failed login attempts in the security log. However, despite my exhausted efforts over the past several days, I can not determine what the perpetrator is using/doing to initiate the attacks. I have included my system info and excerpts from the security log below. Any help will be very much appreciated.System Info:OS Name Microsoft(R) Windows(R) Server 2003 for Small Business Server
Version 5.2.3790 Service Pack 2 Build 3790
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name SERVER02
System Domain WEBPULP
System Manufacturer Dell Computer Corp.
System Model PowerEdge 350
System Type X86-based PCSecurity Log Excerpt:
1/16/2008 10:20:18 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER02 "Logon Failure:
Reason: Unknown user name or bad password
User Name: sales
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER02
Caller User Name: SERVER02$
Caller Domain: WEBPULP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1908
Transited Services: -
Source Network Address: -
Source Port: -
"
1/16/2008 10:19:52 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER02 "Logon Failure:
Reason: Unknown user name or bad password
User Name: info
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER02
Caller User Name: SERVER02$
Caller Domain: WEBPULP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1908
Transited Services: -
Source Network Address: -
Source Port: -
"
1/16/2008 10:19:34 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER02 "Logon Failure:
Reason: Unknown user name or bad password
User Name: backup
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER02
Caller User Name: SERVER02$
Caller Domain: WEBPULP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1908
Transited Services: -
Source Network Address: -
Source Port: -
"
1/16/2008 10:19:10 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER02 "Logon Failure:
Reason: Unknown user name or bad password
User Name: pwrchute
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER02
Caller User Name: SERVER02$
Caller Domain: WEBPULP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1908
Transited Services: -
Source Network Address: -
Source Port: -
"
1/16/2008 10:18:00 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER02 "Logon Failure:
Reason: Unknown user name or bad password
User Name: access
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER02
Caller User Name: SERVER02$
Caller Domain: WEBPULP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1908
Transited Services: -
Source Network Address: -
Source Port: -
"
Answers
Question Closed
Keith_Alabaster
Moderator
- Marked As Answer byKeith AlabasterMVP, ModeratorWednesday, June 10, 2009 11:27 AM
All Replies
This is pretty much the same as something I'm seeing. The usernames I'm seeing the attempt on is...
admin
root
user
guest
test
I can't determine the source of the attack either.
I'm seeing the same security event log activity. I'm also running SBS R2 but am using a different firewall, so do not have ISA installed. Niether the firewall logs or TrendMicro Security Center indicat an intrusion. The SBS is setup w/ dual NICs but the only inbound port open on the public facing network is 25. I do have the remote access ports open as well but only for specific known networks (i.e. specific IP's).
- I'm also having same problem. Again it's SBS 2003 SP2 (Not R2). Current on Windows updates. Getting usernames: master, admin, company, root webmaster. Had 30 yesterday spread out throughout the morning but nothing today. This is starting to sound like something going on with SBS.
- I too am getting these on SBS2003 SP2
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 31/01/2008
Time: 09:37:30
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXXX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: RPMSRV01$
Domain: RPMINDUSTRIESIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: RPMSRV01
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 31/01/2008
Time: 09:38:33
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: BIGDIPPER$
Domain: LOCAL
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BIGDIPPER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
As far as I know, all ports are stealthed & VPN is secure. Can anyone shed any light on this, please?
Thanks I'm seeing the same events. They are using names like: admin, test, backup, guest. In looking at the process id, I found this was inetinfo, but I'm not seeing anything in the logs.
I would like to be able to find the source IP address for these logon attempts as I assume someone is trying to hack into our system. Are these attempts logged anywhere else except in the system events?
Windows 2003 SBS/R2.
thanks,
randy
I am seeing the same type of events, usernames such as copyright, share, 1234567, 22222,33333,44444. Happens virtually every night at various times.
Running 2003 SBS SP2
Hi rbatton,
if your errors/attempts are comming from inetinfo, its from IIS. Turn on IIS logging and you will see the source IP in the log with the username.
HTH
DAve.
Hi Dave,
Thanks for the reply. The problem is I knew inetinfo was IIS and I have had IIS logging turned on since the system was configured. I've looked at all the IIS logs and I'm not seeing any activity related to these failed attempts--but I'll check again in case I missed something. That's what's got me stumped.
BTW: The only websites on this server are the ones created by Small Business Server.
thanks,
randy
In my instance, the logon process is Advapi. Logon type of 3 which indicates a network logon, internal. I have run spyware and virus checks on all workstations and removed anything found. The failure audits persist even after that. I have been unable to recreate the failure audits.
I have no websites configured on the server except for what is configured by default in IIS.
2003 SBS SP2
Thanks
BRM1980 wrote: In my instance, the logon process is Advapi. Logon type of 3 which indicates a network logon, internal.
That's the same in my situation. What I did was look at the Caller Process ID in the Event and then look up the PID in Task Manager (provided, of course, you haven't rebooted the computer between the time of the failed logon and when you check for the PID). In my case the PID pointed to inetinfo.exe which is IIS.
I'm pretty convinced that someone is trying to hack into our system as I see the same list of user ids being tried every few days, luckily without success.
[Does anyone know if Windows keeps any log of the passwords used in a failed logon attempt? Just curious--trying to get into the hacker's modus operandi a little.]
While we have a hardware firewall and I've tried to lock down the system as much as possible, I'd really like to find out the path these attempts are taking to be able to get to a login point.
I'll keep searching and report back if I find anything.
thanks,
randy
Hi, no Windows does not keep passowrds from failed attempts.
This may be an internal machine trying to break in. There MUST be a log of the client IP in the IIS logs, its a defailt field.
Re,
Dave.
I checked the Caller PID on my server as well and it shows the same thing, inetinfo.exe. One of my coworkers tried relaying mail off the server and was able to recreate the error except the logon type wsa 8 instead of 3. Still unsure as to what it could be.Finally found the issue with the help from another forum and a co-worker. The issue is someone trying to authenticate to the server to relay mail. I increased SMTP logging to find the IP's it was coming from and found the following information:
2008-02-05 10:56:33 222.183.144.211 ameill-2007 SMTPSVC1 (SERVERNAME) (SERVER INTERNAL IP ADDRESS) 0 EHLO - +ameill-2007 250 0 317 16 0 SMTP - - - -
2008-02-05 10:57:02 222.183.144.211 ameill-2007 SMTPSVC1 (SERVERNAME) (SERVER INTERNAL IP ADDRESS) 0 QUIT - ameill-2007 240 29094 76 10 7984 SMTP - - - -
2008-02-05 10:57:21 222.183.144.211 ameill-2007 SMTPSVC1 (SERVERNAME) (SERVER INTERNAL IP ADDRESS) 0 EHLO - +ameill-2007 250 0 317 16 0 SMTP - - - -
The following is the process used to create the failure audits on the attacker's side.
C:\> telnet mail.mydomain.com 25
ehlo mydomain.com
auth login (this is SMTP AUTH encrypted).
334 VXNlcm5hbWU6 (output from server)
Ymx1dWVuY29kZWQ= (Base64 encoded username see below.)
334 UGFzc3dvcmQ6 (output from server)
Mypassword
535 5.7.3 Authentication unsuccessful.I used the binary encoder at http://www.webpan.com/customers/Email/base64_conversion.htm to
generate the Base64 encrypted username.Thanks for the update.
It seems my hacker decided to give up. He hasn't returned now that I'm waiting for him. Oh, well...if he does, I'll check for an SMTP login.
later,
randy
BRM1980 wrote: Finally found the issue with the help from another forum and a co-worker. The issue is someone trying to authenticate to the server to relay mail. I increased SMTP logging to find the IP's it was coming from and found the following information:
The following is the process used to create the failure audits on the attacker's side.
C:\> telnet mail.mydomain.com 25
ehlo mydomain.com
auth login (this is SMTP AUTH encrypted).
334 VXNlcm5hbWU6 (output from server)
Ymx1dWVuY29kZWQ= (Base64 encoded username see below.)
334 UGFzc3dvcmQ6 (output from server)Ok, i don't understand one thing, if I see in Sec. Event that PID of Caller Process ID is inetinfo (i was expecting connections/login's via RWW or OWA)so how it is connected with telnet which is used to loging via SMTP???- This bit us as well. We are using a 3rd party mail filtering system and port 25 was SUPPOSED to be locked down to the filter company's addresses. Apparently it was removed and we received an weak password attack as well.
Without the IP address and/or ANY log file to trace, we could not have found where this was coming from either. Thank goodness for this thread!
I completely agree with TAZbiker though. Any connection, requesting any type of authentication on a Windows network (or even local) should absolutely have their IP address logged. Especially with a service that traditionally has known to have introduce security issues in the past (SMTP servers).
If anyone can point me to the logfile were these attempts are logged, I'd appreciate it!
- Shudnt they be in the regular IIS logs?
Regards MS - I having similar problem,
Daily I found log of attempting access.
I have no idea how to prevent it. I have block those external IP from firewall. But next day the IP attempted is different.
Im running SBS 2003 SP2. With Trend MIcro CSM.
Any advise?
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/13/2009
Time: 5:23:36 PM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: MY IP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: 29A12CE220AF49C
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 220.196.42.51
Source Port: 3069
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/13/2009
Time: 11:35:22 AM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: MyDomain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: MYServerName
Caller User Name: MyServerName$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 540
Transited Services: -
Source Network Address: 83.218.208.145
Source Port: 4061
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/13/2009
Time: 8:48:22 AM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: MY IP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CCC-97B5FE1B195
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 125.65.112.204
Source Port: 2482
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/11/2009
Time: 11:55:30 AM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: cface
Domain: USER-827DB2E46C
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-827DB2E46C
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 218.111.43.169
Source Port: 1605
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/11/2009
Time: 11:55:21 AM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: new
Domain: USER-827DB2E46C
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-827DB2E46C
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 218.111.43.169
Source Port: 1529
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/11/2009
Time: 7:46:57 AM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: cface
Domain: PC-HOST
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC-HOST
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 218.111.43.169
Source Port: 1067
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/11/2009
Time: 6:37:49 AM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: PC-HOST
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC-HOST
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 218.111.43.169
Source Port: 1640
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/9/2009
Time: 7:20:55 PM
User: NT AUTHORITY\SYSTEM
Computer: MyDOmain
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: PC-05
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC-05
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 218.111.43.169
Source Port: 4947
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Carl Shahan,
You raised the question and there have been many posts added. Is your issue still there or shall we move this on asd there have been no further updates since may?
Keith
ModeratorQuestion Closed
Keith_Alabaster
Moderator
- Marked As Answer byKeith AlabasterMVP, ModeratorWednesday, June 10, 2009 11:27 AM
