Solved

Dictionary Attack on Small Business Server 2003

Posted on 2007-12-04
8
740 Views
Last Modified: 2008-02-01
I an running a server with Microsoft Small Business Server 2003 and i am seeing multiple failed authentication attempts in the security log.  They all appear as:

Log: Security
Type: Failure Audit
Event: 529
Time: Dec  3 2007 12:02PM
Source: Security
Category: Logon/Logoff
Username: SYSTEM
Computer: ***Removed***
Description: Logon Failure:

        Reason:         Unknown user name or bad password
        User Name:      toyota
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       ***Removed***
        Caller User Name:       ***Removed***
        Caller Domain:  ***Removed***
        Caller Logon ID:        (0x0,0x3E7)
        Caller Process ID:      2904
        Transited Services:     -
        Source Network Address: -
        Source Port:    -

There is no Port or IP identified so I am not sure how to prevent future attacks or to identify the source of the current ones.  We do not currently have a hardware firewall (ex. sonicwall) and are relying on the built in SBS firewall.  We do not have an option to purchase additional hardware so what are our other options
0
Comment
Question by:desktopadv
8 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20406952
You wouldnt happen to have a user account toyota in AD would you? Runnig as a service somewhere or used as credentails to access a share?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20409360
The fact that you removed the workstation, user and domain names leads me to believe that this isn't a dictionary attack at all.  It's an internall issue... which is most likely caused by having a service running under a user account on the named workstation.

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20410952
Everywhere it says removed it just has the name of our server/domain.  I removed it for security reasons.  Also "toyota" was just one of the crazy names that were tried.  Others included hello, love, happy, etc...
0
 
LVL 21

Accepted Solution

by:
dan_blagut earned 500 total points
ID: 20412519
Hi
If you can afford an hardware firewall, then buy an LinkSys broadband router for 50e or eq. That will do the job for you and you get as bonus an VPN server. At the Windows side configure your account to lockout after 5 atempts for 5 minutes at least.
Like that is very improbable that your guy will find the good account /password pair. But after the installation of firewall I think this kind of attach will disapear.

Dan
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20416276
Well, it could be a virus then... see this newsgroup post for the troubleshooting steps:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/825da8d08bd651bf/b0c6cbceb5406038?hl=en&lnk=gst#b0c6cbceb5406038

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20459499
any other options that wouldn't include new hardware???
0
 

Author Comment

by:desktopadv
ID: 20459515
or is their a way in SBS to block ports above 1000+
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20462392
If you have two NICs you don't need additional hardware, but it couldn't hurt.  With two NICs you are already blocking all ports that aren't needed.  You can't just broadly block all ports above 1000, that wouldn't accomplish anything and would also cause communication problems.

Jeff
TechSoEasy
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now