Solved

Windows 2003 Under Attack

Posted on 2006-06-20
15
404 Views
Last Modified: 2013-12-04
I have a Windows 2003 Server under attack.
Something is trying to log into the computer.
Looking at the event log, several computers (different) and not on my domain are trying over and over again to log into accounts that they shouldn't even know about.

Logon Failure:
       Reason:            Account locked out
       User Name:      supplies
       Domain:      SAKUMA-DQ19P9SO
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SAKUMA-DQ19P9SO
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      218.231.247.128
       Source Port:      0


Here is an example
I have security to lock out accounts after 5 tries.  Using strong passwords but this user's account is going to get hit thousands of times.

In my router, I think I have blocked all ports from 1800 to 50000.  This worked for about 4 hours and then the hits came back.

If I unplug the router from the Internet, the login attempts stop.

Give me some advice.  I've been at this for two days now.

Harry
0
Comment
Question by:HDWILKINS
  • 10
  • 4
15 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16948741
Logon type 3 is a Network Logon (file and printer sharing). Have you considered closing the following ports:

 TCP ports 139 and 445
 UDP ports 137 and 138

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948814
Just blocked these ports but no joy.  Still getting the logons

Logon Failure:
       Reason:            Account locked out
       User Name:      management
       Domain:      POSEIDON
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      POSEIDON
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      64.239.142.46
       Source Port:      0

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948827
Locked out those ports in two seperate rules, one to the entire network and the second to the server.  No Joy
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 16948840
You might want to run a network monitoring program, e.g. ethereal (http://www.ethereal.com/) and run it on your server. It should quickly identify who is connecting and on what port.

Interesting that the two sample IP's you posted above are different. Are you finding lots of different IP's, or just a few?
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948860
About 4 IPs.  I'm downloadig ethereal now.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948870
Most of the traffic is from POSEIDON and at that IP but there are several others
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948878
This thing knows all my users logins...  
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 32

Expert Comment

by:r-k
ID: 16948886
I was also noticing that the usernames "supplies" and "management" are pretty generic. They are likely just guesses rather than any inside knowledge of your server. The two IP's are in Japan and Europe apparently, probably infected PC's where the owner is unaware.

If you find out with ethereal what ports are being targeted you can close them, though between having long passwords and a login time-out you are not in any great danger as far as I can tell.

Do post an update. Thanks.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948899
Those happen to be actual accounts.  But it has also tried with my username as well as the other actual people that work here.  I am looking at an ethereal report now.  

Server is talking to 78.174.16.144 on port 22120
Inbound from same IP on port 65222
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948906
Wow, I can't beliee what I am looking at.

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948921
Blocking port 65222 worked for a minute.  Going to block 1800 to 99999
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948926
No Joy
0
 
LVL 32

Expert Comment

by:r-k
ID: 16948936
You might also check what ports are currently open on your server as follows:

From a command prompt:

 > netstat -ab

(or "netstat -ab > list.txt" to save to a file)

Also download TCPview from http://www.sysinternals.com/Utilities/TcpView.html It gives you information similar to netstat, but updates every second.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 16949686
I think blocking single or groups of ports won't help. Just go the other way round:
Block everything, just open the ports absolutely needed to be accessible from the internet, i.e. http 80 if there is a web server, and so on.

Also the firewalls available in routers are not very granular, so if you need further security I'd recommend a full grown firewall appliance like WatchGuard or Sonic or Checkpoint or ... they offer stateful inspection, meaning you can not only open/block ports but also restrict the traffic to let say http or ftp or whatever you need.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 17046478
I've awarded points to R-K because ethereal was the most helpful suggestion I received in this thread.  We're under attack again today and I'm going to post a new question about that.

Thanks
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now