Solved

Windows 2003 Under Attack

Posted on 2006-06-20
15
409 Views
Last Modified: 2013-12-04
I have a Windows 2003 Server under attack.
Something is trying to log into the computer.
Looking at the event log, several computers (different) and not on my domain are trying over and over again to log into accounts that they shouldn't even know about.

Logon Failure:
       Reason:            Account locked out
       User Name:      supplies
       Domain:      SAKUMA-DQ19P9SO
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SAKUMA-DQ19P9SO
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      218.231.247.128
       Source Port:      0


Here is an example
I have security to lock out accounts after 5 tries.  Using strong passwords but this user's account is going to get hit thousands of times.

In my router, I think I have blocked all ports from 1800 to 50000.  This worked for about 4 hours and then the hits came back.

If I unplug the router from the Internet, the login attempts stop.

Give me some advice.  I've been at this for two days now.

Harry
0
Comment
Question by:HDWILKINS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 4
15 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16948741
Logon type 3 is a Network Logon (file and printer sharing). Have you considered closing the following ports:

 TCP ports 139 and 445
 UDP ports 137 and 138

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948814
Just blocked these ports but no joy.  Still getting the logons

Logon Failure:
       Reason:            Account locked out
       User Name:      management
       Domain:      POSEIDON
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      POSEIDON
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      64.239.142.46
       Source Port:      0

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948827
Locked out those ports in two seperate rules, one to the entire network and the second to the server.  No Joy
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 16948840
You might want to run a network monitoring program, e.g. ethereal (http://www.ethereal.com/) and run it on your server. It should quickly identify who is connecting and on what port.

Interesting that the two sample IP's you posted above are different. Are you finding lots of different IP's, or just a few?
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948860
About 4 IPs.  I'm downloadig ethereal now.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948870
Most of the traffic is from POSEIDON and at that IP but there are several others
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948878
This thing knows all my users logins...  
0
 
LVL 32

Expert Comment

by:r-k
ID: 16948886
I was also noticing that the usernames "supplies" and "management" are pretty generic. They are likely just guesses rather than any inside knowledge of your server. The two IP's are in Japan and Europe apparently, probably infected PC's where the owner is unaware.

If you find out with ethereal what ports are being targeted you can close them, though between having long passwords and a login time-out you are not in any great danger as far as I can tell.

Do post an update. Thanks.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948899
Those happen to be actual accounts.  But it has also tried with my username as well as the other actual people that work here.  I am looking at an ethereal report now.  

Server is talking to 78.174.16.144 on port 22120
Inbound from same IP on port 65222
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948906
Wow, I can't beliee what I am looking at.

0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948921
Blocking port 65222 worked for a minute.  Going to block 1800 to 99999
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 16948926
No Joy
0
 
LVL 32

Expert Comment

by:r-k
ID: 16948936
You might also check what ports are currently open on your server as follows:

From a command prompt:

 > netstat -ab

(or "netstat -ab > list.txt" to save to a file)

Also download TCPview from http://www.sysinternals.com/Utilities/TcpView.html It gives you information similar to netstat, but updates every second.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 16949686
I think blocking single or groups of ports won't help. Just go the other way round:
Block everything, just open the ports absolutely needed to be accessible from the internet, i.e. http 80 if there is a web server, and so on.

Also the firewalls available in routers are not very granular, so if you need further security I'd recommend a full grown firewall appliance like WatchGuard or Sonic or Checkpoint or ... they offer stateful inspection, meaning you can not only open/block ports but also restrict the traffic to let say http or ftp or whatever you need.
0
 
LVL 10

Author Comment

by:HDWILKINS
ID: 17046478
I've awarded points to R-K because ethereal was the most helpful suggestion I received in this thread.  We're under attack again today and I'm going to post a new question about that.

Thanks
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question