Critical security issue oin server and how to resolve it.

I have what appears to be a security breach on a server. Here is what shows up in the logs.
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      hacker
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      COURYSRV01
       Caller User Name:      COURYSRV01$
       Caller Domain:      COURY
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2128
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
How can I find the source?
Dan6394Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rehanahmedsCommented:
you can use tools like limit login to keep track...

but this error is already there so you cant track it... may be someone just tried to give you a shock... i guess no hacker will ever hack your system with an obvious username of hacker...
0
Dan6394Author Commented:
Agreed, but is there a way to isolate the source?
0
SlymCommented:
Some info I found, not an answer but maybe it'll help narrow it down a bit:
Source:
http://www.windowsecurity.com/articles/Logon-Types.html

"Logon Type 3  Network
Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)"

"Logon Type 8  NetworkCleartext
This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesnt allow connection to shared file or printers with clear text authentication. The only situation Im aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IISs basic authentication mode. In both cases the logon process in the events description will list advapi. Basic authentication is only dangerous if it isnt wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password."
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

Netman66Commented:
It appears that this attempt was made at the console of the server.  Now, either the physical security is such that this attempt was possible or it may have been an RDP attempt from inside the network.

At any rate, it failed, so that's one positive.

You'll need to reassess who has access to the server.

0
Netman66Commented:
Another possibility - it just came to me - is that a virus or trojan on a workstation is attempting to access shares on the server so it can propogate.

Generally, it doesn't attempt the login using a username like "hacker", so this much is puzzling.

0
Dan6394Author Commented:
A new devopement. THe user name has changed to mykey. Event ID 529  100 attempts.

   Security
529      2/9/2008 5:11 AM      100 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      mykey
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      COURYSRV01
       Caller User Name:      COURYSRV01$
       Caller Domain:      COURY
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2128
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Is there a tool to help me track the location?
0
Netman66Commented:
If you have a router and access to it, turn on IP Accounting.

You should be able to log all incoming and outgoing traffic then correlate the times with the event logs.

0
Netman66Commented:
You can also use Ethereal to capture all the traffic between the server's NIC and the router then correlate the entries to see if you can snag an IP.

0
Dan6394Author Commented:
I'm discovering that it potentially goes a little deeper than just these ID's I've mentioned here. I'm discovering in the security logs that there are a number of ID's that have been tried. Leading me to believe that it is a Trojan possibly. So, is there a way to grab the machine hash or IP from the current ISA logs (running SBS 2003 Premium) or is there another tool I should look at?
0
Dan6394Author Commented:
Ok. I downloaded Wireshark instead. Couldn't find a version of Ethereal that would load. Can I load it on a pc on the network in question? Don't want to put it on the server.
0
rehanahmedsCommented:
yeh you can do it but dont run it on administrator account...
0
rehanahmedsCommented:
its not recommended by winshark as well to run it on administrator account...
0
Netman66Commented:
ISA can be set to log as well.

0
Dan6394Author Commented:
I am capturing data but what specifically should I be capturing. The data I have shows nothing. At least that I can tell.
0
martin_babarikCommented:
It might be a part of an automated IP range wide attack.
You know what? Try to take a look at the command "eventtriggers". This one is very usefull...it will keep an eye on the events hapenning on your system and you can configure it to notify you in case something suspicious is going on.
I use eventtriggers to start a VBScript which sends me an email being redirected to my mobile phone, so if somebody tries either successfuly or unsuccessfuly access my server, I know about it in seconds.
0
Dan6394Author Commented:
I'm not certain how to end this one. I traced it down to a couple of PC's and removed them from the network and the all potentially malicious activity has ceased. Not exactly sure of the origin of this but at any rate the issue has diminished to basically nothing at this point. Sure would like to know what was causing it but unfortunately I don't have a lab to investigate further.
Thanks to everyone for your suggestions but it turned out to be just a little detective work. The best option on this one was using Wire Shark to try and determine the source. Therefore I have to award points to that suggestion.
0
Dan6394Author Commented:
A difficult problem for sure to trace sdown remotelywith limited information. You all are very much appreciated. Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.