Solved

Server 2003 AD brute force attacked from other server

Posted on 2009-07-01
13
470 Views
Last Modified: 2013-11-29
One of our server 2003 boxes keeps sending failed kerbros authentications to our primary domain controller.  The primary domain controllers security log is corrupt (is this a coiencidence?).

I'm running wireshark now on the primary domain controller and can see all the failed attempts.  I am pretty sure the username that keeps failiing doesn't even exist.

I'm going to run wireshark on the server that is doing the attacks.  I cannot turn off this server nor disconnect it because it is running our defect software that at any given time 30-80 people might be using.

What would you guys recommend I do to remedy this situation?  What other tools can i use?

Thank you so much
0
Comment
Question by:braker15
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 24769186
We don't risk it anymore, if you have that big an issue, and it sounds like an account is on the box that shouldn't be on the box, you need to rebuild. You have to create some downtime fo that box to back up the data you need so you can restore that data to a new server you build up. Have the new server built first, get the downtime, restore as much functionality as you can.
We've also found that separating duties is a must, let AD servers be just AD servers, and use VmWare or Xen for virtualizing  servers that don't need to be run on dedicated hardware. (VMware or AD will complain when you to install a GC on a vmware instance)
If you can locate what is trying to use this account, disable it, maybe that is all you need, but you should probably rebuild if the server was compromised.
-rich
0
 
LVL 7

Expert Comment

by:Phateon
ID: 24771577
Please post a HJT log so that we can see which research some more about your issue. Also, why don't you temporarily block the port 750 for the said machine on the internal firewall or maybe configure an ACL?
0
 
LVL 61

Accepted Solution

by:
btan earned 350 total points
ID: 24776339
Seems like the failed attempts are like classic known weakness of kerberos systems.
- Replay attacks and password-guessing attacks. A replay attack would involve intercepting or otherwise acquiring a Kerberos ticket and then fraudulently representing that ticket in an attempt to gain authentication. Password guessing in a Kerberos system could be done by intercepting Kerberos tickets from the network and then making a brute force attempt to decrypt the intercepted tickets.
-  An attacker may exploit outdated software in the infrastructure. For example, there are many problems with Kerberos version 4. In order to prevent these attacks, Kerberos 5 has been modified to use triple DES in Cipher Block Chaining (CBC) mode.
- Having said that password attack in v5 based on password is still possible (like in this case).

Recommendations (ref to http://www.windowsdevcenter.com/pub/a/windows/excerpt/swarrior_ch14/index1.html):
a) Authentication scheme that relies on only username and password can be cracked using repeated attempts. This is why most password protected resources will limit the number of unsuccessful login attempts over a time period to a reasonably low number that still guarantees a typo won't lock the user out forever.

b) For increased security extra services will be required such as limiting login attempts (or better yet hiding the server from all but) a known trusted range of network addresses (either logical addresses such as IP ranges or stronger still physical addresses like MAC addresses or other hardware specific data, possibly a combination of all these).

c) By using both hardware authentication combined with allowing only known network addresses AND username/password authentication you can at least be sure that any attempt comes from inside the known network AND from a known machine on that network. If you have people using l0phtcrack on the internal LAN it should then be easy to catch them by logging the number of repeated fail attempts from a single connection and having some alarm trigged to security if there's an unusual number of fails from a given location (say more than 5 attempts in a 10 minute interval to the same account, or attempting to log into 5 accounts in that same interval).

d) Adding smartcards into the equation makes it even easier to pinpoint the source of the intrusion attempt. But this is a more tedious change over especially having higher cost due to hardware involved but do consider it for longer term

>> As of now I suggest changing the password lockdown attempts (reactive to contain attack for interim) and if possible up a backup server (see below) for failover (business continuity).

High resiliency related info:
a) Kerberos was designed to allow for a Master/Slave replication cluster. While a Kerberos cluster can consist of any number of hosts, it is recommended that you have at least two. A master which serves as the primary server and at least one slave which is available as a backup to the master. The master and slave servers may be thought of as Primary and Secondary servers respectively.

b) Despite the errors, do also note that critical system (like AD) should maintain high availability and scalability. Take a look at You should be looking at "Using IT Procedures to Increase Availability and Scalability" in <http://technet.microsoft.com/en-us/library/cc786570(WS.10).aspx>

For AD (or kerberos systems), do spend some time looking at the practices:
a) Automated clustering - http://technet.microsoft.com/en-us/library/cc787869(WS.10).aspx
b) Deploying secure AD - http://technet.microsoft.com/en-us/library/cc756081(WS.10).aspx
c) Strengthening Domain and Domain Controller Policy Settings (see audit and password portion) - http://technet.microsoft.com/en-us/library/cc773142(WS.10).aspx
http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/server-replication.html

Hope it helps
0
 
LVL 1

Author Comment

by:braker15
ID: 24781931
thank you very much for all of the help.  one of our servers had a suspicious file sysdrv.sys.. i uploaded it to virus total and sure enough it looks like an irc backdoor virus.

http://www.virustotal.com/analisis/63c53b675c438fdb9da8088ae9e81cac005e0a91610c0aab060585c1af8b7bca-1246623218

i keep seeing failed requests from username krbtgt or server$@domain ... i've attached a packet.




failed-attempt.txt
0
 
LVL 1

Author Comment

by:braker15
ID: 24781946
i keep seeing these in my event log:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      673
Date:            7/5/2009
Time:            2:46:51 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DMZDC1A
Description:
Service Ticket Request:
       User Name:            DMZSQL1A$@DMZ.COM
       User Domain:            DMZ.COM
       Service Name:            host/dmzsql1a.dmz.com
       Service ID:            -
       Ticket Options:            0x40810000
       Ticket Encryption Type:      -
       Client Address:            63.xxx.xxx.103
       Failure Code:            0x12
       Logon GUID:            -
       Transited Services:      -


a few days ago i got about twelve of these a second (i shut down the server at offending ip):
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            7/2/2009
Time:            7:46:40 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DMZDC1A
Description:
Pre-authentication failed:
       User Name:      TsInternetUser
       User ID:            DMZ\TsInternetUser
       Service Name:      krbtgt/DMZ.COM
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      63.xxx.xxx.229


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

0
 
LVL 7

Expert Comment

by:Phateon
ID: 24783775
You might have been infected with Backdoor.Ryknos. Try disinfecting it with http://www.symantec.com/business/security_response/writeup.jsp?docid=2005-111016-4134-99
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24784409
We rebuild our servers/computers when infected, peace of mind and assurance that we removed the virus. Look at what AV makers on virustotal detected the nasty, backup your files, scan them with one of those AV programs to make sure your backed up data isn't infected. Rebuild the server, restore the backup data to the new server, turn off the old server, re-ip/rename the new server. Get AV installed on your critical servers.
We have ghost images for most servers, pc's and LT's that make rebuilding go much faster.
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 350 total points
ID: 24829478
Agree that the DC should be "restore" into original state.
You may also want to consider Virtual image for DC and restoring is easier (reverting snapshots).
Minimally AV need to be installed but note that it should not be connected online (preferably not), hence manual update is needed.
Better to have some IDS or HIPS in the infrastructure so that these similar traffic can be monitored and alerts can be correlated early (but revamp take times and consideration, talk to the IT Team)

Also to share that beside Virustotal, you can consider online malware analysis services like ThreatExpert, CwSandbox. They give more detail reports (check out their sample reports) as VirusTotal is more of a "surface report"
- http://www.threatexpert.com/introduction.aspx
- http://www.cwsandbox.org/?site=1&page=submit

Last but not least, do harden your server and turn off unnecessary services e.g. Telnet, etc. Good to go for pentest as regular checks
0
 
LVL 6

Assisted Solution

by:astralcomputing
astralcomputing earned 50 total points
ID: 24848414
Firstly, if that box is that important that you cannot shut it down, invest in redundancy.

Secondly, you (almost) definately have a rootkit, because rootkits setup a .sys file to mask their true apps. Look for exe's in the Windows and windows\system32 directory with the Hidden and Read on or system attribute and approach any with suspicion.

0
 
LVL 61

Expert Comment

by:btan
ID: 24885112
See good rootkit detector like
a) GMER - quite technical but free (http://www.gmer.net/)
b) FSecure Blacklight - Free and good (http://www.f-secure.com/en_EMEA/products/technologies/blacklight/)
c) RootKit Revealer - Free  (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)

My take is try out the Blacklight first to see if it can catch any .... :)

Best of luck !!
0
 
LVL 1

Author Comment

by:braker15
ID: 25209301
Okay, I am using ee mobile now, I really appreciate all the help. I will assign points when I return to my pc

thank you!
0
 
LVL 1

Author Closing Comment

by:braker15
ID: 31598855
thank you
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now