[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 937
  • Last Modified:

Multiple Unauthorised logon attempts

The Event Viewer on our SBS2003 server (also runs the MSexchange) has shown two instances of logging multiple 529 errors as below.

There are multiple entries logged in succession over approx ten minutes. The messages are all as below except the username entry are random (eg , null, admin, 1234, bevis, shannon,soccer,etc)

During one apparent attack I disconnected the company broadband and they stopped instantly, so it apparently looks as though this is coming from outside the network.

Can anybody advise on how we should trace and deal with this situation please?

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            30/01/2008
Time:            04:14:55
User:            NT AUTHORITY\SYSTEM
Computer:      SEMA01
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      shannon
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      Severname
       Caller User Name:      servername$
       Caller Domain:      SEMA
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2712
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
cpmcomputers
Asked:
cpmcomputers
  • 2
  • 2
2 Solutions
 
SunBowCommented:
Run ping and tracert on host:
     Computer:      SEMA01

Install personal firewall with ability to always blocks ports both coming and going, such as ZoneAlarm

Consider having a packet analyzer available to review the next event. Microsoft has one decent enough to to this called NetMon.

http://www.snapfiles.com/Freeware/network/fwpacketsniffer.html
Protocol Analyzers
Microsoft Network Monitor 3

You should consider turning off all remote access until this is locked up better, especially do not allow remote logons. In worse cases you can and should rename affected systems, and change address etc. Make sure your server is not advertising, recognize that it has become known to anonymous others and react accordingly.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
This is one of those questions that's been asked a 100 times on EE.
http://www.google.com/search?q=site%3Awww.experts-exchange.com+MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Have you reviewed any of those to see if they match your problem?

Do you have any services running under a user or administrator account?

Jeff
TechSoEasy
0
 
cpmcomputersAuthor Commented:
Thanks to TechSoEAsy and SunBow

The Server is protected by ISA 2004.
I have downloaded netmonitor and will use it to track any further attacks

This problem has not re-occurred since we tightened up our securiy but we are changing our server ip and settings as a precaution.

We have implemented a strong passwords policy and restricted access remotely only to those few users actually needing it. We have further implemented a lockout policy after three unsucessful login attempts.

Why does the security log not actually record the originating IP of the logon attempts.
Is it Possible to have an email alert to an administrator generated for specific events?

Any advice on any other actions we could/should be taking?





0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The reason it doesn't show the originating IP is because it's a Logon type "3". Which is NOT coming from the outside... Type 3 is a NETWORK logon i.e. connection to shared folder on this computer from elsewhere on network or IIS logon.  Since the username is NT AUTHORITY\SYSTEM then that would indicate it could just be something internal to that server and not even coming from another machine.

I think that your attempt to "tighten up our security" are misguided actually.

Jeff
TechSoEasy
0
 
cpmcomputersAuthor Commented:
Thanks to TechSoEAsy and SunBow - both offered prompt and relevant 'pointers' to my problem.
for which I am grateful  However, neither really provided the definitive answer to what was happening or definitive resolution. Either subsequent actions I carried out resolved the issue or the attacker simply gave up?  Sorry , for leaving the question open for so long and thank you once again to the guys - Despite the 'unresolved' ending to this I feel both they are worthy of the points awarded.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now