Solved

How do I duplicate the 100 failed logon attempts on my server so I know what I need to lock down?

Posted on 2007-11-26
7
1,214 Views
Last Modified: 2010-04-21
It looks as though my DC / Exchange server was hit with a brute force attack on Saturday. I have approx 200 hits (not many) that all look like the 1st example below.
Tennis was the bogus username along with other common names which makes me think the attacker got the password dictionary file and the username file mixed up??  
I would like to know how the attack took place??
The server room is locked.
The firewall is locked down only allowing port 25 into the exchange server.
The logs on the firewall show no unusual activity during the attach window.
IIS printing is unavailable on the server.
OWA is available on the server.
The default home page for IIS is under construction (a little weak there).

What I've gleaned from the net is:
Logon type 3 - is network logon attempt
Logon Process advapi - is an attempt to access through IIS or through a file share or shared printer
Workstation Name - from the brute force was my  Server MMS
Caller Domain - from the brute force was my Domain

1st Example - real logged entry of attempt to access my server.
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Tennis
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MMS
       Caller User Name:      MMS$
       Caller Domain:      MMSDC
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2068
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

---- End 1st example
Now I have tried to duplicate a similar Logon type 3 and Logon Process advapi with the following scenerios without luck.

Scenerio 1 - attempt to logon to a domain workstation and the username does not exist in active directory.
       Reason:            Unknown user name or bad password
       User Name:      testuser
       Domain:            VNEWBOX
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      0

Sceneris 2 - attempt to access OWA with an unknown uname and pazz

ogon Failure:
       Reason:            Unknown user name or bad password
       User Name:      owa2
       Domain:            MMS
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      58269

Scenerio 3 - attempt to run to a file share with a non-exsistent username

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      theman
       Domain:            VNEWBOX
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      0


Once again how can I duplicate the 1st example Failed logon attempt.
Thank you,
Graham

0
Comment
Question by:gmacdonald
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20354135
The common attack is on SMTP, so it is probably there.

Simon.
0
 

Author Comment

by:gmacdonald
ID: 20355478
Hi Sembee,
I telneted into port 25 and attempted to send mail as a non-domain user here is the message (see below). This does not generate a failed logon Event 529 and from what I've read hackers use SMTP to assist in the retrieval of usernames not as a point of entry. So I'm still looking to duplicate the hack attack so I can learn how to plug the hole please?
Thanks for the comment.

220 mms.ca Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Mon, 26 Nov 2007 20:36:16 -0700
helo ola.com
250 monarchmessenger.ca Hello [123.123.123.123]
mail from:<junkman>
250 2.1.0 junkman@monarchmessenger.ca....Sender OK
rcpt to:<junk@junk.ca>
550 5.7.1 Unable to relay for junk@junk.ca
rset
250 2.0.0 Resetting
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357015
Not that I am doubting what you had read, but SMTP is very much used to attack Exchange servers - the administrator account is attacked so that a spammer can do an authenticated relay through the server.
Your test above isn't a replication of an authenticated relay attack - it is to see if the server is an open relay which the server would reject if it has been configured correctly.

What you are referring to is a directory harvest attack, which can be easily defeated and would make a spammer move on to the next target.

Why do you think you have a hole that needs to be plugged? Anything exposed to the internet will get attacked. IIS 6 has never been compromised, it has always been applications installed on IIS 6 that has caused the problem. If the server is running Exchange only then it is pretty secure if it has been kept up to date with patches.

Simon.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:gmacdonald
ID: 20361146
Thanks for the feedback Simon. I guess the big thing for me is the real failed logon attempts do not show an IP or external workstation name just the name of my server, as if they were right on the box. I would like to confirm that I have not overlooked a hole in the defenses. If they are attempting to come through SMTP then I should be able to find the bad guys IPs from there, true?
Thanks again,
Graham
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20361479
The IP address would not be logged in the event viewer, as the authentication is taking place on the server itself. WWW authentication takes place in the same way - even when it is an an anonymous "account".
The IP address information is stored in the SMTP logs.

Simon.
0
 

Author Closing Comment

by:gmacdonald
ID: 31411096
Hi Simon, Thanks for the help. SMTP logging is turned on now, too bad I didn't have it on last week. I see the IP's showing up in the log. I'll be tracking that for a while to see how it patterns out and corresponds with the security logs. Thanks for the help. Graham
0
 

Author Comment

by:gmacdonald
ID: 20368739
Hi Simon, Thanks for the help. SMTP logging is turned on now, too bad I didn't have it on last week. I see the IP's showing up in the log. I'll be tracking that for a while to see how it patterns out and corresponds with the security logs. Thanks for the help. Graham
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question