braker15
asked on
Server 2003 AD brute force attacked from other server
One of our server 2003 boxes keeps sending failed kerbros authentications to our primary domain controller. The primary domain controllers security log is corrupt (is this a coiencidence?).
I'm running wireshark now on the primary domain controller and can see all the failed attempts. I am pretty sure the username that keeps failiing doesn't even exist.
I'm going to run wireshark on the server that is doing the attacks. I cannot turn off this server nor disconnect it because it is running our defect software that at any given time 30-80 people might be using.
What would you guys recommend I do to remedy this situation? What other tools can i use?
Thank you so much
I'm running wireshark now on the primary domain controller and can see all the failed attempts. I am pretty sure the username that keeps failiing doesn't even exist.
I'm going to run wireshark on the server that is doing the attacks. I cannot turn off this server nor disconnect it because it is running our defect software that at any given time 30-80 people might be using.
What would you guys recommend I do to remedy this situation? What other tools can i use?
Thank you so much
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Phateon
Please post a HJT log so that we can see which research some more about your issue. Also, why don't you temporarily block the port 750 for the said machine on the internal firewall or maybe configure an ACL?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you very much for all of the help. one of our servers had a suspicious file sysdrv.sys.. i uploaded it to virus total and sure enough it looks like an irc backdoor virus.
http://www.virustotal.com/analisis/63c53b675c438fdb9da8088ae9e81cac005e0a91610c0aab060585c1af8b7bca-1246623218
i keep seeing failed requests from username krbtgt or server$@domain ... i've attached a packet.
failed-attempt.txt
http://www.virustotal.com/analisis/63c53b675c438fdb9da8088ae9e81cac005e0a91610c0aab060585c1af8b7bca-1246623218
i keep seeing failed requests from username krbtgt or server$@domain ... i've attached a packet.
failed-attempt.txt
ASKER
i keep seeing these in my event log:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 7/5/2009
Time: 2:46:51 PM
User: NT AUTHORITY\SYSTEM
Computer: DMZDC1A
Description:
Service Ticket Request:
User Name: DMZSQL1A$@DMZ.COM
User Domain: DMZ.COM
Service Name: host/dmzsql1a.dmz.com
Service ID: -
Ticket Options: 0x40810000
Ticket Encryption Type: -
Client Address: 63.xxx.xxx.103
Failure Code: 0x12
Logon GUID: -
Transited Services: -
a few days ago i got about twelve of these a second (i shut down the server at offending ip):
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 7/2/2009
Time: 7:46:40 PM
User: NT AUTHORITY\SYSTEM
Computer: DMZDC1A
Description:
Pre-authentication failed:
User Name: TsInternetUser
User ID: DMZ\TsInternetUser
Service Name: krbtgt/DMZ.COM
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: 63.xxx.xxx.229
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 7/5/2009
Time: 2:46:51 PM
User: NT AUTHORITY\SYSTEM
Computer: DMZDC1A
Description:
Service Ticket Request:
User Name: DMZSQL1A$@DMZ.COM
User Domain: DMZ.COM
Service Name: host/dmzsql1a.dmz.com
Service ID: -
Ticket Options: 0x40810000
Ticket Encryption Type: -
Client Address: 63.xxx.xxx.103
Failure Code: 0x12
Logon GUID: -
Transited Services: -
a few days ago i got about twelve of these a second (i shut down the server at offending ip):
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 7/2/2009
Time: 7:46:40 PM
User: NT AUTHORITY\SYSTEM
Computer: DMZDC1A
Description:
Pre-authentication failed:
User Name: TsInternetUser
User ID: DMZ\TsInternetUser
Service Name: krbtgt/DMZ.COM
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: 63.xxx.xxx.229
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
You might have been infected with Backdoor.Ryknos. Try disinfecting it with http://www.symantec.com/business/security_response/writeup.jsp?docid=2005-111016-4134-99
We rebuild our servers/computers when infected, peace of mind and assurance that we removed the virus. Look at what AV makers on virustotal detected the nasty, backup your files, scan them with one of those AV programs to make sure your backed up data isn't infected. Rebuild the server, restore the backup data to the new server, turn off the old server, re-ip/rename the new server. Get AV installed on your critical servers.
We have ghost images for most servers, pc's and LT's that make rebuilding go much faster.
-rich
We have ghost images for most servers, pc's and LT's that make rebuilding go much faster.
-rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
See good rootkit detector like
a) GMER - quite technical but free (http://www.gmer.net/)
b) FSecure Blacklight - Free and good (http://www.f-secure.com/en_EMEA/products/technologies/blacklight/)
c) RootKit Revealer - Free (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)
My take is try out the Blacklight first to see if it can catch any .... :)
Best of luck !!
a) GMER - quite technical but free (http://www.gmer.net/)
b) FSecure Blacklight - Free and good (http://www.f-secure.com/en_EMEA/products/technologies/blacklight/)
c) RootKit Revealer - Free (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)
My take is try out the Blacklight first to see if it can catch any .... :)
Best of luck !!
ASKER
Okay, I am using ee mobile now, I really appreciate all the help. I will assign points when I return to my pc
thank you!
thank you!
ASKER
thank you