• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 273
  • Last Modified:

I think I'm being cracked

I'm no expert on network security but I received an Event ID 539 last night from my SBS2003 DC informing me that a user had been locked out.   I looked at my logs this morning and found the entry.  The user name had been locked out of attempting to gain access to my DC.   I called the user to make sure that it in fact wasn't him and he informed me that he hadn't done anything that night.  This user does not have administrative privileges, but I am worried that if this person gains access to my DC even without admin privs he can wreak some havoc.

Here is the log info:

Logon Failure:
       Reason:            Account locked out
       User Name:      davidt
       Domain:      DOMAIN
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      THOMANNASPHALT2
       Caller User Name:      THOMANNASPHALT2$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 6052
       Transited Services: -
       Source Network Address:      166.137.138.137
       Source Port:      40978

Apparently a variety of ports were used: 40940, 40978, 41036

I'm not really sure what to do here to avoid having this happen again.  
0
dthomann
Asked:
dthomann
  • 2
  • 2
1 Solution
 
TripyreCommented:
it may be a virus such as the Conficker worm.  The Conficker worm will attempt multiple accounts and lock them out as it uses brute force password hack.
 
http://support.microsoft.com/kb/962007 
0
 
neubdaCommented:
I dont think so. It's Logon Type 8, so it differs from normal worms. I would go for an "open" iis to the intenret or local network. More likely someone attempted several tries on a htaccess from... owa? If you have an iis you should search the logs or enable it for the time being.
0
 
dthomannAuthor Commented:
IIS is running with OWA.  What am I looking for in the logs for IIS?
0
 
dthomannAuthor Commented:
Also I did a trace on the ip address where the logon came from and found it was located in Wichita KA.  We're located in NC.
0
 
neubdaCommented:
Guess u can't do 2 much to prevent this if owa is open to everyone on the net. I would simply watch the logs if it happens again. If it does you could go a step ahead and try implementing an ips (expensive) or simply guard it with a firewall and a rate limit for http/s. It will not prevent the attacker from trying out passwords but it will slow him down.
Another task would be shutting down unencrypted http owa. Web Access over https requires form based authentication which should always be the only way to access owa!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now