?
Solved

Indicative of attempted hack?

Posted on 2010-01-04
5
Medium Priority
?
333 Views
Last Modified: 2013-12-04
I was going over the security logs this morning and came across a string of failure audits (Logon/Logoff) which contained the following info:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/4/2010
Time:            10:59:53 AM
User:            NT AUTHORITY\SYSTEM
Computer:      MLDC01
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            DOMAIN1
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      MLDC01
       Caller User Name:      MLDC01$
       Caller Domain:      DOMAIN1
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5576
       Transited Services:      -
       Source Network Address:      <IP address given is located in Canada>
       Source Port:      60514

--------------------------------------------------------------------------------------------------

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/4/2010
Time:            11:07:30 AM
User:            NT AUTHORITY\SYSTEM
Computer:      MLDC01
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      admin
       Domain:            DOMAIN1
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      MLDC01
       Caller User Name:      MLDC01$
       Caller Domain:      DOMAIN1
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5176
       Transited Services:      -
       Source Network Address:      <IP address given is located in Canada>
       Source Port:      61354


I've never seen anything like this before and it seems very peculiar. I checked the WHOIS database and it doesn't return any info for that IP address - only that it seems to be based in Canada. What can I do from here? Logical next steps?

Thank you!!!





0
Comment
Question by:Haze0830
  • 3
  • 2
5 Comments
 
LVL 2

Author Comment

by:Haze0830
ID: 26173574
The source IP has been blocked until I can determine what's going on here.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 26173594
Logon type 10 indicates a logon attempt via terminal services. I think my initial assessment was correct - no?
0
 
LVL 17

Expert Comment

by:Mike_Carroll
ID: 26174763
Certainly looks very suspicious. Logon type 10 indicates an attempted logon using RDP through either terminal services or remote desktop. It is hard to see how this could be accidental although the strictly speaking, the case could be argued.

Personally, I would leave the IP blocked and forget about it. It's amazing the number of these events that logs pick up and even then after you get a really obvious attempted hack, trying it make anything stick is incredibly difficult.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 26174821
Thank you. I appreciate the response. We treated as such an attempt just to be on the safe side.
0
 
LVL 17

Accepted Solution

by:
Mike_Carroll earned 2000 total points
ID: 26174980
The admin bit would lead me to look at it as accidental but having said that, the fact that it happened at all would lead me to treat it as malicious. A terminal services or remote desktop connection has to be consciously initiated - they don't happen by accident.

I've seen these things happen many times over the years and invariably, they all get dropped pretty quickly by both the service providers and the authorities. It would not surprise me if it's apathy from the service providers and lack know how from the authorities. Either ways, the law is not there at the moment and the simplest thing to do is to block the IP address and keep an eye on things.

It would not do any harm to have a quiet word with the service providers responsible for the ip address and explain to them exactly what happened. It might be enough for them to have a quiet word with the person responsible and explain to them the error of their ways.

Sorry, I know it not what you'd like to hear but I've been there so many times and these days, I just block the ip.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question