We help IT Professionals succeed at work.

Server 2003 AD brute force attacked from other server

560 Views
Last Modified: 2013-11-29
One of our server 2003 boxes keeps sending failed kerbros authentications to our primary domain controller.  The primary domain controllers security log is corrupt (is this a coiencidence?).

I'm running wireshark now on the primary domain controller and can see all the failed attempts.  I am pretty sure the username that keeps failiing doesn't even exist.

I'm going to run wireshark on the server that is doing the attacks.  I cannot turn off this server nor disconnect it because it is running our defect software that at any given time 30-80 people might be using.

What would you guys recommend I do to remedy this situation?  What other tools can i use?

Thank you so much
Comment
Watch Question

Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
Please post a HJT log so that we can see which research some more about your issue. Also, why don't you temporarily block the port 750 for the said machine on the internal firewall or maybe configure an ACL?
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
thank you very much for all of the help.  one of our servers had a suspicious file sysdrv.sys.. i uploaded it to virus total and sure enough it looks like an irc backdoor virus.

http://www.virustotal.com/analisis/63c53b675c438fdb9da8088ae9e81cac005e0a91610c0aab060585c1af8b7bca-1246623218

i keep seeing failed requests from username krbtgt or server$@domain ... i've attached a packet.




failed-attempt.txt

Author

Commented:
i keep seeing these in my event log:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      673
Date:            7/5/2009
Time:            2:46:51 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DMZDC1A
Description:
Service Ticket Request:
       User Name:            DMZSQL1A$@DMZ.COM
       User Domain:            DMZ.COM
       Service Name:            host/dmzsql1a.dmz.com
       Service ID:            -
       Ticket Options:            0x40810000
       Ticket Encryption Type:      -
       Client Address:            63.xxx.xxx.103
       Failure Code:            0x12
       Logon GUID:            -
       Transited Services:      -


a few days ago i got about twelve of these a second (i shut down the server at offending ip):
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            7/2/2009
Time:            7:46:40 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DMZDC1A
Description:
Pre-authentication failed:
       User Name:      TsInternetUser
       User ID:            DMZ\TsInternetUser
       Service Name:      krbtgt/DMZ.COM
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      63.xxx.xxx.229


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Commented:
You might have been infected with Backdoor.Ryknos. Try disinfecting it with http://www.symantec.com/business/security_response/writeup.jsp?docid=2005-111016-4134-99
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
We rebuild our servers/computers when infected, peace of mind and assurance that we removed the virus. Look at what AV makers on virustotal detected the nasty, backup your files, scan them with one of those AV programs to make sure your backed up data isn't infected. Rebuild the server, restore the backup data to the new server, turn off the old server, re-ip/rename the new server. Get AV installed on your critical servers.
We have ghost images for most servers, pc's and LT's that make rebuilding go much faster.
-rich
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
See good rootkit detector like
a) GMER - quite technical but free (http://www.gmer.net/)
b) FSecure Blacklight - Free and good (http://www.f-secure.com/en_EMEA/products/technologies/blacklight/)
c) RootKit Revealer - Free  (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)

My take is try out the Blacklight first to see if it can catch any .... :)

Best of luck !!

Author

Commented:
Okay, I am using ee mobile now, I really appreciate all the help. I will assign points when I return to my pc

thank you!

Author

Commented:
thank you
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.