Solved

Windows 2003 Under Attack

Posted on 2006-06-20
15
402 Views
Last Modified: 2013-12-04
I have a Windows 2003 Server under attack.
Something is trying to log into the computer.
Looking at the event log, several computers (different) and not on my domain are trying over and over again to log into accounts that they shouldn't even know about.

Logon Failure:
       Reason:            Account locked out
       User Name:      supplies
       Domain:      SAKUMA-DQ19P9SO
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SAKUMA-DQ19P9SO
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      218.231.247.128
       Source Port:      0


Here is an example
I have security to lock out accounts after 5 tries.  Using strong passwords but this user's account is going to get hit thousands of times.

In my router, I think I have blocked all ports from 1800 to 50000.  This worked for about 4 hours and then the hits came back.

If I unplug the router from the Internet, the login attempts stop.

Give me some advice.  I've been at this for two days now.

Harry
0
Comment
Question by:HDWILKINS
  • 10
  • 4
15 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16948741
Logon type 3 is a Network Logon (file and printer sharing). Have you considered closing the following ports:

 TCP ports 139 and 445
 UDP ports 137 and 138

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948814
Just blocked these ports but no joy.  Still getting the logons

Logon Failure:
       Reason:            Account locked out
       User Name:      management
       Domain:      POSEIDON
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      POSEIDON
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      64.239.142.46
       Source Port:      0

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948827
Locked out those ports in two seperate rules, one to the entire network and the second to the server.  No Joy
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 16948840
You might want to run a network monitoring program, e.g. ethereal (http://www.ethereal.com/) and run it on your server. It should quickly identify who is connecting and on what port.

Interesting that the two sample IP's you posted above are different. Are you finding lots of different IP's, or just a few?
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948860
About 4 IPs.  I'm downloadig ethereal now.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948870
Most of the traffic is from POSEIDON and at that IP but there are several others
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948878
This thing knows all my users logins...  
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 32

Expert Comment

by:r-k
ID: 16948886
I was also noticing that the usernames "supplies" and "management" are pretty generic. They are likely just guesses rather than any inside knowledge of your server. The two IP's are in Japan and Europe apparently, probably infected PC's where the owner is unaware.

If you find out with ethereal what ports are being targeted you can close them, though between having long passwords and a login time-out you are not in any great danger as far as I can tell.

Do post an update. Thanks.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948899
Those happen to be actual accounts.  But it has also tried with my username as well as the other actual people that work here.  I am looking at an ethereal report now.  

Server is talking to 78.174.16.144 on port 22120
Inbound from same IP on port 65222
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948906
Wow, I can't beliee what I am looking at.

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948921
Blocking port 65222 worked for a minute.  Going to block 1800 to 99999
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948926
No Joy
0
 
LVL 32

Expert Comment

by:r-k
ID: 16948936
You might also check what ports are currently open on your server as follows:

From a command prompt:

 > netstat -ab

(or "netstat -ab > list.txt" to save to a file)

Also download TCPview from http://www.sysinternals.com/Utilities/TcpView.html It gives you information similar to netstat, but updates every second.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 16949686
I think blocking single or groups of ports won't help. Just go the other way round:
Block everything, just open the ports absolutely needed to be accessible from the internet, i.e. http 80 if there is a web server, and so on.

Also the firewalls available in routers are not very granular, so if you need further security I'd recommend a full grown firewall appliance like WatchGuard or Sonic or Checkpoint or ... they offer stateful inspection, meaning you can not only open/block ports but also restrict the traffic to let say http or ftp or whatever you need.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 17046478
I've awarded points to R-K because ethereal was the most helpful suggestion I received in this thread.  We're under attack again today and I'm going to post a new question about that.

Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now