Solved

Event 529 - Under attack from outside?

Posted on 2007-11-20
14
5,427 Views
Last Modified: 2013-12-04
Hi Experts.

Over the last two days I have seen Event ID  529 messages on our SBS 2003 Premium DC, as follows:

(ONLY 1 OCCURRENCE OF THIS ONE)
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            19/11/2007
Time:            16:20:54
User:            NT AUTHORITY\SYSTEM
Computer:      CORRECT NAME OF THE DC
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            CORRECT DOMAIN NAME
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      CORRECT NAME OF DC
       Caller User Name:      CORRECT NAME OF DC$
       Caller Domain:      CORRECT DOMAIN NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      7780
       Transited Services:      -
       Source Network Address:      193.138.145.144
       Source Port:      50544

Source   Event ID Last Occurrence       Total Occurrences
Security  529         18/11/2007 02:37        56 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: Administrator
  Domain: AML
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: CORRECT SERVER NAME
  Caller User Name: CORRECT SERVER NAME$
  Caller Domain: CORRECT DOMAIN NAME
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 8956
  Transited Services: -
  Source Network Address: 70.43.225.146
  Source Port: 1404
 
This one was accompanied by:

Source Event ID Last Occurrence Total Occurrences
Security 672          18/11/2007 02:37       112 *
Authentication Ticket Request:
  User Name: Administrator
  Supplied Realm Name: CORRECT DOMAIN NAME
  User ID: -
  Service Name: krbtgt/AML
  Service ID: -
  Ticket Options: 0x40810010
  Result Code: 0x6
  Ticket Encryption Type: -
  Pre-Authentication Type: -
  Client Address: 127.0.0.1
  Certificate Issuer Name:  
  Certificate Serial Number:  
  Certificate Thumbprint:  
 
As far as I can see from these entries, the attempted logon has come from outside (type 10)
70.43.225.146 seems to have something to do with an Asian computer science college.
193.138.145.144 belongs in Eastern Europe - Both look very suspicious to me.

All ports are stealthed, except 25 for our SMTP mail & 1723 for PPTP (VPN connections) & the only port I can can get a response from via telnet is 25.  The ports specified in the events are both unresponsive to telnet & appear stealthed

Questions:
1. Given the ports are stealthed, how can they be used like this?
2. Shouldn't the router's firewall have prevented the attack getting this far?
3. Have the correct domain controller name, correct domain name & correct workstation name been obtained by the attacker or are they simply being generated by the reporting system?
4. Can I still consider our domain to be secure?

Many thanks for your help.
Steve

0
Comment
Question by:morse57
  • 7
  • 7
14 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
why is it that every time someone gets these errors they think they are being hacked?

http:Q_22058386.html
http:Q_22471975.html
http:Q_22865407.html
http:Q_21936889.html

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
I don't, having had the benefit of your help a long time ago, & I think I learned everything that you intended me to.
What concerns me on this occasion is that there are external IP addresses & logon type is 10 - I believe the articles you kindly referred me to all deal with internal logins, type 3.
As I believe I have the necessary security in place, you can understand, I hope, my concern when these events report being triggered by an OUTSIDE source.
If I'm being really stupid and have misread your links, I apologise, but can you offer any help on this, please, Jeff?


Many thanks
Steve
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Well, I think I left one out:  http:Q_22621391.html

That one had these links:
529 - Login Failure http://www.ultimatewindowssecurity.com/events/com190.html
672 - Successful/Failed Logon http://www.ultimatewindowssecurity.com/events/com293.html


Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Thanks. I'll take a look.

Steve
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
OK
I need to know if I'm being really thick, here.  All these previous posts relate to logon attempts from within the network.  
These attempts are from external sources - the logon type is 10, which, as I understand it, relates to logon via Terminal Services, Remote Desktop or Remote Assistance.
The originating IP's are very suspect when traced through WHOIS - a computer college in Taiwan & a firm in Ukraine.
I hope you can see why I can't understand the relevance of the articles you have steered me to in this instance.  Some of them are your replies to posts to me concerning internal logons & I implemented the remedies you proposed then.  There have been no further problems of that type & these instances do not coincide with the installation of or running of any software or server processes as far as I can see.
Please explain it to me.

Cheers
Steve
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Your Event 672 are not from outside the network, according to what you posted they are coming from 127.0.0.1 which is the server itself.

The event 529's with Logon Type 10 does indicate that someone is trying to log on to the server via Remote Desktop.  Your lockout policy should prevent any abuse of this login, but just to be safe, if they are all coming in as username "Administrator", I'd suggest just changing the Administrator's Login name and it'll stop them on the first try.

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Thanks, Jeff.
Yes, I realise the 672 was from within but I included it as a supplementary event, apparently generated by the 529 of the same timestamp, believing it might help in the resolution - it seems to have got in the way. :-)

The Administrator account has been renamed from day 1.

To get back to the original questions in relation to the attempts from outside - how has it been possible to get through to the server in the first place as the ports reportedly used are supposed to be blocked by the firewall in the router?

1. Given the ports are stealthed, how can they be used like this?
2. Shouldn't the router's firewall have prevented the attack getting this far?
3. Have the correct domain controller name, correct domain name & correct workstation name been obtained by the attacker or are they simply being generated by the reporting system?
4. Can I still consider our domain to be secure?

Cheers
Steve
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
Comment Utility
" Can I still consider our domain to be secure?"

I've had another look at it... and to be truthful, maybe not.  I'm not much of a hacker, but I decided to just see if I could (a) figure out your IP address, and (b) see if I could see anything open.

Normally, as an EE Zone Advisor, I have access to the IP address that you were at when you signed up for your account.  Yours wasn't recorded, so I didn't have it that easy.  But I was able to come up with it in about 10 minutes.  Suffice it to say that I know it begins with 81 and the very last number of the 4th octet is a 6.

Then, at first I thought you were pretty secure behind an SMC Barricade ADSL Router until I saw that it had SNMP enabled and I could see that your internal IP addresses were starting at 192.168.1.100.  (192.168.1.106 was missing from the list, by the way).

Knowing your internal IP addresses isn't really all that much of an issue... but for the record?  I was able to also see every single MAC address.

So, what should you do?  First, I wouldn't be using a residential router with a single-NIC configuration on an SBS.  Either upgrade it to a decent firewall that performs stateful packet inspection (such as a Sonicwall TZ-series) or add a second NIC to your SBS so that your network is double-NAT'ed.

Most importantly though, make sure that SNMP is disabled on your router, or at the very least change the default strings from Public & Private to something else and enable querying from the LAN only.  

You can find a few more tips about the SMC router here:  http://users.skynet.be/luc.pauwels/luc/smc/tips_and_tricks.html

Now... even though I was able to attain that info, I still would have needed to get past the Account Lockout and the fact that your Administrator account name is changed.  I didn't even try to go there... because as I said, I'm not much of a hacker.  And as long as you keep strong passwords which are changed regularly, in addition to correcting the above items then you shouldn't have any problems.  

Jeff
TechSoEasy

P. S.  If I was wrong about any of the above info let me know.  If I was right, especially about being able to figure out your IP Address, don't get too nervous... :-)  I'm sure that someone could figure out mine in about 30 seconds.
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Damn...I wish I knew how to do that! :-)

Thanks very much for your efforts, Jeff.  The SNMP messaging worked OK as I was notified by email of your attempts to get through, assuming your IP starts 76 & has the last character of 0.

Prior to any changes, I had the following set as enabled:

    * Intrusion Detection Feature

      SPI and Anti-DoS firewall protection       
      RIP defect       
      Discard Ping to WAN       

    * Stateful Packet Inspection

      Packet Fragmentation       
      TCP Connection       
      UDP Session       
      FTP Service       
      H.323 Service       
      TFTP  Service

so I'm interested to see that you thought SPI wasn't effective on this router - can you clarify, please?

I'm somewhat disappointed in that we bought this router along with the server with the specification that it had to be able to properly secure the network & it seems. from what you've written, that it is a bit lightweight.  I did fit a 2nd NIC some time ago with the intention of providing double protection but then I read on EE that if a SBS2003 box was set up with a single NIC it could be a nightmare adding a 2nd and then getting it to work properly with ISA, so I chickened out & removed the card.

I've changed the names of the SNMP communities & disabled access to the 'public' side, as you suggest & I'm working through the article you linked to.

It's interesting that you couldn't see 192.168.1.106 as it is registered in the reserved addresses of DHCP as are the other desktops on the network.  Strange.

If you'd like to take another look and see if it we have been able to improve things, I'd appreciate it & I will, of course accept your answer to give you the points.

I can appreciate you might not want to post it here but, if you could send a link to somewhere I might find out how to do the kind of checks which you have done for me, so I can learn to audit the security myself, I'd really appreciate it.  You could send to ***Email Address Removed by TechSoEasy*** if you're happy to do that.

Thanks for going the extra mile and checking things out for me.

Cheers
Steve

*** Experts-Exchange's Membership Agreement doesn't permit the use of email addresses in a question thread.
Details: http://www.experts-exchange.com/help.jsp#hi99
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
"assuming your IP starts 76 & has the last character of 0"

Yep, that would be me.  :-)

So, yes it looks much better now.

I didn't even think to ask you if you are running ISA Server... which if you are isn't doing one bit of good with only ONE NIC installed.

It can be difficult to set up if you have a lot of custom things to configure, but in a standard setup it's all configured by the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email).  But honestly, I've stopped using ISA Server with all of my SBS installations because I'm happier with using a single NIC and a strong firewall appliance like the Sonicwall.

If your SMC Router provides all that you list above, then it should be just fine.  I would say though that locking down your ports that much really inhibits the ability to work remotely... which can be more trouble than it's worth in my opinion.  

I had thought that SPI wasn't working because I'm still wondering how you even got any traffic to try authentication that would produce a "Logon Type: 10" event from an external IP address.  I definitely don't know enough about this stuff to even start to understand how that could happen.  The only thing I can think of is if you had an alternate Internet connection on another machine within your LAN, or it could be a Trojan that's opening up the port outbound allowing the inbound traffic.

So, if you don't have a secondary Internet connection, then you should review the router logs for both inbound and outbound traffic to see if the original request is coming from inside your LAN.

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Steve,

Regarding the way I scanned your network?  I use an old version of GFI Languard (v3.0) which does a decent scan as well as enumerating SNMP info.

But there are plenty of tools to do this with.  See http://www.greyhat.com/exec/ for more info.

You just need to test from OUTSIDE your LAN.

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
Comment Utility


I think I'll stick with the single NIC & Barricade for now as it seems to be secure enough - I'm not currently using ISA as I found early on (another of your posts, I think) that it only works with 2 NIC's.

"I'm still wondering how you even got any traffic to try authentication that would produce a "Logon Type: 10" event from an external IP address." - Me too; that's exactly the part which has me worried.
I'll check the logs,as you suggest & see what I can find.
Meanwhile, here are your well-earned points & thanks very much for your efforts, Jeff.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Steve,

For what it's worth... one of my clients got this attack last night:

Source       Event ID      Last Occurrence        Total Occurrences
Security     672      11/30/2007 3:35 PM      304 *
Authentication Ticket Request:
       User Name:      Administrator
       Supplied Realm Name:      DOMAINNAME
       User ID:      -
       Service Name:      krbtgt/DOMAINNAME
       Service ID:      -
       Ticket Options:      0x40810010
       Result Code:      0x6
       Ticket Encryption Type:      -
       Pre-Authentication Type:      -
       Client Address:      127.0.0.1
       Certificate Issuer Name:       
       Certificate Serial Number:       
       Certificate Thumbprint:       



Source      Event ID      Last Occurrence      Total Occurrences
 Security    529      11/30/2007 3:35 PM      152 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      Administrator
       Domain:      DOMAINNAME
       Logon Type:      10
       Logon Process:      User32
       Authentication Package:      Negotiate
       Workstation Name:      SBS2K3
       Caller User Name:      SBS2K3$
       Caller Domain:      DOMAINNAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5544
       Transited Services:      -
       Source Network Address:      70.43.225.146
       Source Port:      3350

Obviously a very similar situation -- even from the same IP Address.  I've notified the Abuse Department at the offending ISP.  Interestingly this server also has a different Administrator account name, so of course the account lock-out won't kick in because there is no account with that name.

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Thanks for this, Jeff.
I also notified the abuse department so, hopefully, receiving multiple reports should be more likely to cause some action.

Cheers
Steve
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now