It looks as though my DC / Exchange server was hit with a brute force attack on Saturday. I have approx 200 hits (not many) that all look like the 1st example below.
Tennis was the bogus username along with other common names which makes me think the attacker got the password dictionary file and the username file mixed up??
I would like to know how the attack took place??
The server room is locked.
The firewall is locked down only allowing port 25 into the exchange server.
The logs on the firewall show no unusual activity during the attach window.
IIS printing is unavailable on the server.
OWA is available on the server.
The default home page for IIS is under construction (a little weak there).
What I've gleaned from the net is:
Logon type 3 - is network logon attempt
Logon Process advapi - is an attempt to access through IIS or through a file share or shared printer
Workstation Name - from the brute force was my Server MMS
Caller Domain - from the brute force was my Domain
1st Example - real logged entry of attempt to access my server.
Logon Failure:
Reason: Unknown user name or bad password
User Name: Tennis
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
ACKAGE_V1_
0
Workstation Name: MMS
Caller User Name: MMS$
Caller Domain: MMSDC
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2068
Transited Services: -
Source Network Address: -
Source Port: -
---- End 1st example
Now I have tried to duplicate a similar Logon type 3 and Logon Process advapi with the following scenerios without luck.
Scenerio 1 - attempt to logon to a domain workstation and the username does not exist in active directory.
Reason: Unknown user name or bad password
User Name: testuser
Domain: VNEWBOX
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VNEWBOX
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.251
Source Port: 0
Sceneris 2 - attempt to access OWA with an unknown uname and pazz
ogon Failure:
Reason: Unknown user name or bad password
User Name: owa2
Domain: MMS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VNEWBOX
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.251
Source Port: 58269
Scenerio 3 - attempt to run to a file share with a non-exsistent username
Logon Failure:
Reason: Unknown user name or bad password
User Name: theman
Domain: VNEWBOX
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VNEWBOX
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.251
Source Port: 0
Once again how can I duplicate the 1st example Failed logon attempt.
Thank you,
Graham
Start Free Trial
