Solved

How do I duplicate the 100 failed logon attempts on my server so I know what I need to lock down?

Posted on 2007-11-26
7
1,149 Views
Last Modified: 2010-04-21
It looks as though my DC / Exchange server was hit with a brute force attack on Saturday. I have approx 200 hits (not many) that all look like the 1st example below.
Tennis was the bogus username along with other common names which makes me think the attacker got the password dictionary file and the username file mixed up??  
I would like to know how the attack took place??
The server room is locked.
The firewall is locked down only allowing port 25 into the exchange server.
The logs on the firewall show no unusual activity during the attach window.
IIS printing is unavailable on the server.
OWA is available on the server.
The default home page for IIS is under construction (a little weak there).

What I've gleaned from the net is:
Logon type 3 - is network logon attempt
Logon Process advapi - is an attempt to access through IIS or through a file share or shared printer
Workstation Name - from the brute force was my  Server MMS
Caller Domain - from the brute force was my Domain

1st Example - real logged entry of attempt to access my server.
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Tennis
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MMS
       Caller User Name:      MMS$
       Caller Domain:      MMSDC
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2068
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

---- End 1st example
Now I have tried to duplicate a similar Logon type 3 and Logon Process advapi with the following scenerios without luck.

Scenerio 1 - attempt to logon to a domain workstation and the username does not exist in active directory.
       Reason:            Unknown user name or bad password
       User Name:      testuser
       Domain:            VNEWBOX
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      0

Sceneris 2 - attempt to access OWA with an unknown uname and pazz

ogon Failure:
       Reason:            Unknown user name or bad password
       User Name:      owa2
       Domain:            MMS
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      58269

Scenerio 3 - attempt to run to a file share with a non-exsistent username

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      theman
       Domain:            VNEWBOX
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      0


Once again how can I duplicate the 1st example Failed logon attempt.
Thank you,
Graham

0
Comment
Question by:gmacdonald
  • 4
  • 3
7 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20354135
The common attack is on SMTP, so it is probably there.

Simon.
0
 

Author Comment

by:gmacdonald
ID: 20355478
Hi Sembee,
I telneted into port 25 and attempted to send mail as a non-domain user here is the message (see below). This does not generate a failed logon Event 529 and from what I've read hackers use SMTP to assist in the retrieval of usernames not as a point of entry. So I'm still looking to duplicate the hack attack so I can learn how to plug the hole please?
Thanks for the comment.

220 mms.ca Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Mon, 26 Nov 2007 20:36:16 -0700
helo ola.com
250 monarchmessenger.ca Hello [123.123.123.123]
mail from:<junkman>
250 2.1.0 junkman@monarchmessenger.ca....Sender OK
rcpt to:<junk@junk.ca>
550 5.7.1 Unable to relay for junk@junk.ca
rset
250 2.0.0 Resetting
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357015
Not that I am doubting what you had read, but SMTP is very much used to attack Exchange servers - the administrator account is attacked so that a spammer can do an authenticated relay through the server.
Your test above isn't a replication of an authenticated relay attack - it is to see if the server is an open relay which the server would reject if it has been configured correctly.

What you are referring to is a directory harvest attack, which can be easily defeated and would make a spammer move on to the next target.

Why do you think you have a hole that needs to be plugged? Anything exposed to the internet will get attacked. IIS 6 has never been compromised, it has always been applications installed on IIS 6 that has caused the problem. If the server is running Exchange only then it is pretty secure if it has been kept up to date with patches.

Simon.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:gmacdonald
ID: 20361146
Thanks for the feedback Simon. I guess the big thing for me is the real failed logon attempts do not show an IP or external workstation name just the name of my server, as if they were right on the box. I would like to confirm that I have not overlooked a hole in the defenses. If they are attempting to come through SMTP then I should be able to find the bad guys IPs from there, true?
Thanks again,
Graham
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20361479
The IP address would not be logged in the event viewer, as the authentication is taking place on the server itself. WWW authentication takes place in the same way - even when it is an an anonymous "account".
The IP address information is stored in the SMTP logs.

Simon.
0
 

Author Closing Comment

by:gmacdonald
ID: 31411096
Hi Simon, Thanks for the help. SMTP logging is turned on now, too bad I didn't have it on last week. I see the IP's showing up in the log. I'll be tracking that for a while to see how it patterns out and corresponds with the security logs. Thanks for the help. Graham
0
 

Author Comment

by:gmacdonald
ID: 20368739
Hi Simon, Thanks for the help. SMTP logging is turned on now, too bad I didn't have it on last week. I see the IP's showing up in the log. I'll be tracking that for a while to see how it patterns out and corresponds with the security logs. Thanks for the help. Graham
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now