Windows 2003 Under Attack

I have a Windows 2003 Server under attack.
Something is trying to log into the computer.
Looking at the event log, several computers (different) and not on my domain are trying over and over again to log into accounts that they shouldn't even know about.

Logon Failure:
       Reason:            Account locked out
       User Name:      supplies
       Domain:      SAKUMA-DQ19P9SO
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SAKUMA-DQ19P9SO
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      218.231.247.128
       Source Port:      0


Here is an example
I have security to lock out accounts after 5 tries.  Using strong passwords but this user's account is going to get hit thousands of times.

In my router, I think I have blocked all ports from 1800 to 50000.  This worked for about 4 hours and then the hits came back.

If I unplug the router from the Internet, the login attempts stop.

Give me some advice.  I've been at this for two days now.

Harry
LVL 10
HDWILKINSAsked:
Who is Participating?
 
r-kConnect With a Mentor Commented:
You might want to run a network monitoring program, e.g. ethereal (http://www.ethereal.com/) and run it on your server. It should quickly identify who is connecting and on what port.

Interesting that the two sample IP's you posted above are different. Are you finding lots of different IP's, or just a few?
0
 
r-kCommented:
Logon type 3 is a Network Logon (file and printer sharing). Have you considered closing the following ports:

 TCP ports 139 and 445
 UDP ports 137 and 138

0
 
HDWILKINSAuthor Commented:
Just blocked these ports but no joy.  Still getting the logons

Logon Failure:
       Reason:            Account locked out
       User Name:      management
       Domain:      POSEIDON
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      POSEIDON
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      64.239.142.46
       Source Port:      0

0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
HDWILKINSAuthor Commented:
Locked out those ports in two seperate rules, one to the entire network and the second to the server.  No Joy
0
 
HDWILKINSAuthor Commented:
About 4 IPs.  I'm downloadig ethereal now.
0
 
HDWILKINSAuthor Commented:
Most of the traffic is from POSEIDON and at that IP but there are several others
0
 
HDWILKINSAuthor Commented:
This thing knows all my users logins...  
0
 
r-kCommented:
I was also noticing that the usernames "supplies" and "management" are pretty generic. They are likely just guesses rather than any inside knowledge of your server. The two IP's are in Japan and Europe apparently, probably infected PC's where the owner is unaware.

If you find out with ethereal what ports are being targeted you can close them, though between having long passwords and a login time-out you are not in any great danger as far as I can tell.

Do post an update. Thanks.
0
 
HDWILKINSAuthor Commented:
Those happen to be actual accounts.  But it has also tried with my username as well as the other actual people that work here.  I am looking at an ethereal report now.  

Server is talking to 78.174.16.144 on port 22120
Inbound from same IP on port 65222
0
 
HDWILKINSAuthor Commented:
Wow, I can't beliee what I am looking at.

0
 
HDWILKINSAuthor Commented:
Blocking port 65222 worked for a minute.  Going to block 1800 to 99999
0
 
HDWILKINSAuthor Commented:
No Joy
0
 
r-kCommented:
You might also check what ports are currently open on your server as follows:

From a command prompt:

 > netstat -ab

(or "netstat -ab > list.txt" to save to a file)

Also download TCPview from http://www.sysinternals.com/Utilities/TcpView.html It gives you information similar to netstat, but updates every second.
0
 
Michael PfisterCommented:
I think blocking single or groups of ports won't help. Just go the other way round:
Block everything, just open the ports absolutely needed to be accessible from the internet, i.e. http 80 if there is a web server, and so on.

Also the firewalls available in routers are not very granular, so if you need further security I'd recommend a full grown firewall appliance like WatchGuard or Sonic or Checkpoint or ... they offer stateful inspection, meaning you can not only open/block ports but also restrict the traffic to let say http or ftp or whatever you need.
0
 
HDWILKINSAuthor Commented:
I've awarded points to R-K because ethereal was the most helpful suggestion I received in this thread.  We're under attack again today and I'm going to post a new question about that.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.