• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1262
  • Last Modified:

How do I duplicate the 100 failed logon attempts on my server so I know what I need to lock down?

It looks as though my DC / Exchange server was hit with a brute force attack on Saturday. I have approx 200 hits (not many) that all look like the 1st example below.
Tennis was the bogus username along with other common names which makes me think the attacker got the password dictionary file and the username file mixed up??  
I would like to know how the attack took place??
The server room is locked.
The firewall is locked down only allowing port 25 into the exchange server.
The logs on the firewall show no unusual activity during the attach window.
IIS printing is unavailable on the server.
OWA is available on the server.
The default home page for IIS is under construction (a little weak there).

What I've gleaned from the net is:
Logon type 3 - is network logon attempt
Logon Process advapi - is an attempt to access through IIS or through a file share or shared printer
Workstation Name - from the brute force was my  Server MMS
Caller Domain - from the brute force was my Domain

1st Example - real logged entry of attempt to access my server.
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Tennis
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MMS
       Caller User Name:      MMS$
       Caller Domain:      MMSDC
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2068
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

---- End 1st example
Now I have tried to duplicate a similar Logon type 3 and Logon Process advapi with the following scenerios without luck.

Scenerio 1 - attempt to logon to a domain workstation and the username does not exist in active directory.
       Reason:            Unknown user name or bad password
       User Name:      testuser
       Domain:            VNEWBOX
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      0

Sceneris 2 - attempt to access OWA with an unknown uname and pazz

ogon Failure:
       Reason:            Unknown user name or bad password
       User Name:      owa2
       Domain:            MMS
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      58269

Scenerio 3 - attempt to run to a file share with a non-exsistent username

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      theman
       Domain:            VNEWBOX
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      VNEWBOX
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.251
       Source Port:      0


Once again how can I duplicate the 1st example Failed logon attempt.
Thank you,
Graham

0
gmacdonald
Asked:
gmacdonald
  • 4
  • 3
1 Solution
 
SembeeCommented:
The common attack is on SMTP, so it is probably there.

Simon.
0
 
gmacdonaldAuthor Commented:
Hi Sembee,
I telneted into port 25 and attempted to send mail as a non-domain user here is the message (see below). This does not generate a failed logon Event 529 and from what I've read hackers use SMTP to assist in the retrieval of usernames not as a point of entry. So I'm still looking to duplicate the hack attack so I can learn how to plug the hole please?
Thanks for the comment.

220 mms.ca Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Mon, 26 Nov 2007 20:36:16 -0700
helo ola.com
250 monarchmessenger.ca Hello [123.123.123.123]
mail from:<junkman>
250 2.1.0 junkman@monarchmessenger.ca....Sender OK
rcpt to:<junk@junk.ca>
550 5.7.1 Unable to relay for junk@junk.ca
rset
250 2.0.0 Resetting
0
 
SembeeCommented:
Not that I am doubting what you had read, but SMTP is very much used to attack Exchange servers - the administrator account is attacked so that a spammer can do an authenticated relay through the server.
Your test above isn't a replication of an authenticated relay attack - it is to see if the server is an open relay which the server would reject if it has been configured correctly.

What you are referring to is a directory harvest attack, which can be easily defeated and would make a spammer move on to the next target.

Why do you think you have a hole that needs to be plugged? Anything exposed to the internet will get attacked. IIS 6 has never been compromised, it has always been applications installed on IIS 6 that has caused the problem. If the server is running Exchange only then it is pretty secure if it has been kept up to date with patches.

Simon.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
gmacdonaldAuthor Commented:
Thanks for the feedback Simon. I guess the big thing for me is the real failed logon attempts do not show an IP or external workstation name just the name of my server, as if they were right on the box. I would like to confirm that I have not overlooked a hole in the defenses. If they are attempting to come through SMTP then I should be able to find the bad guys IPs from there, true?
Thanks again,
Graham
0
 
SembeeCommented:
The IP address would not be logged in the event viewer, as the authentication is taking place on the server itself. WWW authentication takes place in the same way - even when it is an an anonymous "account".
The IP address information is stored in the SMTP logs.

Simon.
0
 
gmacdonaldAuthor Commented:
Hi Simon, Thanks for the help. SMTP logging is turned on now, too bad I didn't have it on last week. I see the IP's showing up in the log. I'll be tracking that for a while to see how it patterns out and corresponds with the security logs. Thanks for the help. Graham
0
 
gmacdonaldAuthor Commented:
Hi Simon, Thanks for the help. SMTP logging is turned on now, too bad I didn't have it on last week. I see the IP's showing up in the log. I'll be tracking that for a while to see how it patterns out and corresponds with the security logs. Thanks for the help. Graham
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now