Solved

Suspected hacking attempts

Posted on 2007-03-26
9
2,843 Views
Last Modified: 2013-12-04
Hi folks

I need some help with an apparent security problem, please.
I am getting events as below, in random blocks - nothing or several days, then up to a hundred similar events in the space of a few hours.  I suspect it is a hacking attempt because there are different generic usernames being employed, i.e. admin, root, www, administrator, test, master, etc.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            26/03/2007
Time:            04:27:13
User:            NT AUTHORITY\SYSTEM
Computer:      OUR-SERVER
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      test
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      OUR-SERVER
       Caller User Name:      OUR-SERVER$
       Caller Domain:      OUR-DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2592
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

As you can see, the eventlog is no help in identifying the port being used.
We run a vpn for two users within the organisation and MS Exchange within SBS2003.  I have port-scanned up to port 1055 using Shields-Up & everything is stealthed, except the following ports:
Open - 25 - smtp
Closed - 110 -pop3
open - 443 - https
open - 444 - snmp

Do you think that these are hacking attempts?  
Do I need these ports open for our mail & remote users?
Is there a way I can get information as to the originating port?

Any help appreceiated
Many thanks
0
Comment
Question by:morse57
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 11

Expert Comment

by:Zenith63
ID: 18791839
Yep I'd say it's just a bot taking random guesses at any servers it comes across.  Provided you don't have any basic passwords setup on accounts you should be fine.  However if there are ports you can close then you should close them.

25 - Has to be open to receive mail.
110 - If you have external users connecting to the server directly to get their mail by POP this port has to be open, otherwise close it.
443 - Do you use Outlook Web Access from external locations?  If so then yes this port needs to be open, otherwise close it.
444 - Not sure why you have this open externally?  I've never needed to open it before, so I'd close it.

If the only external access is through those two VPNs then the only port you really need open to the server directly is 25.  All other traffic will come through the VPN in which case they should be bypassing these rules anyway.
0
 
LVL 2

Author Comment

by:morse57
ID: 18791951
Thanks.  I'm going to try things out with 443/4 closed & test the access.  I'll let you know how it goes.
Do you have any suggestion as to how I can get the information as to which port is being used for these attempts, please?

Thanks
0
 
LVL 11

Expert Comment

by:Zenith63
ID: 18792039
Well Advapi is the logon process IIS uses to do user authentication.  I don't believe this would be used by SMTP, POP3 or SNMP so I'd suspect the bot/person in question was trying to access your server through HTTPS (443).  Maybe trying to just access https://YourServerAddress or maybe trying to get into Outlook Web Access if you have it open and listening on HTTPS.

So if you have nobody using OWA externally and your only external users are coming through a VPN then you should have no need for port 443 to be open at the perimeter firewall.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 18792448
It's very unlikely that its a hack attempt, since the originating server name is also not randomized.  Also, a logon type of 3 indicates a NETWORK logon attempt.  The cause of these events is generally due to the MACHINE account password being out of sync.  Take a look at this newsgroup post which shows almost your EXACT error message:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/41a0a87606fa0bb2/ed8a66283495c1ca?lnk=st

Then follow the advice of the post to use NETDOM to reset the password.  

Jeff
TechSoEasy

P. S.  Just to clarify the SBS ports that are used, 444 is not SNMP it's used for SharePoint.  These are the common ones and I generally have all of them open without issue:

25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace


0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 5

Expert Comment

by:Keyguard
ID: 18792778
The different usernames being used do suggest an attempt to hack the webserver, a machine account out of sync doesn't come up with those sort of usernames. Just looks likes a pretty generic hacking attempt to me
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18792994
Well, that could be right... but WMI does actually use www, root, and master login names.  There could be other programs running that use the others.  

I am definitely aware of dictionary attacks though... my web servers fend off about 1,000 hits per night with "Illegal user test from..." lines filling up my security log reports.  Unfortunately on those servers I cannot close down ports, so it's just a constant watch to ensure they never get through.

But in this case, unless port 445 is open the packets wouldn't ever reach the server from the Internet.

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
ID: 18793216
Thanks for your input, Jeff - relevant & valuable as ever.
I've just tried your suggestion & I'm having some trouble getting a service to start.  
The problem doesn't occur every day so I'll probably need to leave it for a few days to see what happens next.
I'll let you know when I've resolved the startup & see some results.  
Cheers
Steve
0
 
LVL 2

Author Comment

by:morse57
ID: 18834996
Thanks everyone for your input.

Jeff - you hit the nail on the head.  

Thanks once again.

Cheerd
Steve
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18855234
Good thing I didn't hit my thumb with the hammer!

Jeff
TechSoEasy
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now