Solved

Windows 2003 Under Attack

Posted on 2006-06-20
15
405 Views
Last Modified: 2013-12-04
I have a Windows 2003 Server under attack.
Something is trying to log into the computer.
Looking at the event log, several computers (different) and not on my domain are trying over and over again to log into accounts that they shouldn't even know about.

Logon Failure:
       Reason:            Account locked out
       User Name:      supplies
       Domain:      SAKUMA-DQ19P9SO
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SAKUMA-DQ19P9SO
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      218.231.247.128
       Source Port:      0


Here is an example
I have security to lock out accounts after 5 tries.  Using strong passwords but this user's account is going to get hit thousands of times.

In my router, I think I have blocked all ports from 1800 to 50000.  This worked for about 4 hours and then the hits came back.

If I unplug the router from the Internet, the login attempts stop.

Give me some advice.  I've been at this for two days now.

Harry
0
Comment
Question by:HDWILKINS
  • 10
  • 4
15 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16948741
Logon type 3 is a Network Logon (file and printer sharing). Have you considered closing the following ports:

 TCP ports 139 and 445
 UDP ports 137 and 138

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948814
Just blocked these ports but no joy.  Still getting the logons

Logon Failure:
       Reason:            Account locked out
       User Name:      management
       Domain:      POSEIDON
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      POSEIDON
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      64.239.142.46
       Source Port:      0

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948827
Locked out those ports in two seperate rules, one to the entire network and the second to the server.  No Joy
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 16948840
You might want to run a network monitoring program, e.g. ethereal (http://www.ethereal.com/) and run it on your server. It should quickly identify who is connecting and on what port.

Interesting that the two sample IP's you posted above are different. Are you finding lots of different IP's, or just a few?
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948860
About 4 IPs.  I'm downloadig ethereal now.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948870
Most of the traffic is from POSEIDON and at that IP but there are several others
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948878
This thing knows all my users logins...  
0
 
LVL 32

Expert Comment

by:r-k
ID: 16948886
I was also noticing that the usernames "supplies" and "management" are pretty generic. They are likely just guesses rather than any inside knowledge of your server. The two IP's are in Japan and Europe apparently, probably infected PC's where the owner is unaware.

If you find out with ethereal what ports are being targeted you can close them, though between having long passwords and a login time-out you are not in any great danger as far as I can tell.

Do post an update. Thanks.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948899
Those happen to be actual accounts.  But it has also tried with my username as well as the other actual people that work here.  I am looking at an ethereal report now.  

Server is talking to 78.174.16.144 on port 22120
Inbound from same IP on port 65222
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948906
Wow, I can't beliee what I am looking at.

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948921
Blocking port 65222 worked for a minute.  Going to block 1800 to 99999
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948926
No Joy
0
 
LVL 32

Expert Comment

by:r-k
ID: 16948936
You might also check what ports are currently open on your server as follows:

From a command prompt:

 > netstat -ab

(or "netstat -ab > list.txt" to save to a file)

Also download TCPview from http://www.sysinternals.com/Utilities/TcpView.html It gives you information similar to netstat, but updates every second.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 16949686
I think blocking single or groups of ports won't help. Just go the other way round:
Block everything, just open the ports absolutely needed to be accessible from the internet, i.e. http 80 if there is a web server, and so on.

Also the firewalls available in routers are not very granular, so if you need further security I'd recommend a full grown firewall appliance like WatchGuard or Sonic or Checkpoint or ... they offer stateful inspection, meaning you can not only open/block ports but also restrict the traffic to let say http or ftp or whatever you need.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 17046478
I've awarded points to R-K because ethereal was the most helpful suggestion I received in this thread.  We're under attack again today and I'm going to post a new question about that.

Thanks
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Move Event Log in windows 2012 3 96
Is CCleaner a virus?  Do you use CCleaner? 18 270
Forensic audit of SBS 2008 3 83
SHA2 certs for IIS AND Java? 2 87
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question