SBS 2003 - Cannot locate source of Logon Attack Failures
I have a SBS 2003 server on my network, which has come under a brute-force attack from an unknown source (no source IP or source port). I cannot find where this attack is coming from and believe it to be an infected client launching the attack at various times.
This is a sample of the many Event Viewer entries (the others have various user names):
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2/10/2011
Time: 1:20:04 AM
User: NT AUTHORITY\SYSTEM
Computer: <server name>
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: alice
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: <server name>
Caller User Name: <server name>$
Caller Domain: <domain name>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1564
Transited Services: -
Source Network Address: -
Source Port: -
(No "alice" user account exists on the network)
What is my best course of action to find out which client(s) may be compromised or where this attack is coming from? Is there a better way/software to monitor incoming traffic no matter the source?
Thanks in advance.
This is a sample of the many Event Viewer entries (the others have various user names):
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2/10/2011
Time: 1:20:04 AM
User: NT AUTHORITY\SYSTEM
Computer: <server name>
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: alice
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: <server name>
Caller User Name: <server name>$
Caller Domain: <domain name>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1564
Transited Services: -
Source Network Address: -
Source Port: -
(No "alice" user account exists on the network)
What is my best course of action to find out which client(s) may be compromised or where this attack is coming from? Is there a better way/software to monitor incoming traffic no matter the source?
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First course of action would be to identify what PID 1564 is. I've seen those before, and I bet ya it is inetinfo.exe.
Report back when you have that info. What to do next depends on what info we have.
::: Tony
Report back when you have that info. What to do next depends on what info we have.
::: Tony
Tony - please read the previously posted comments before adding a repeat of what has already been posted.
Thanks
Alan
Thanks
Alan
ASKER
There is no Caller Process ID 1564 in Task Manager. It may only come around when the attack is being launched.
I have WireShark installed, but what filter should I set in the capture options?
Is there another way to find the source?
I have WireShark installed, but what filter should I set in the capture options?
Is there another way to find the source?
Have you added the PID column and sorted the PID column, then looked down the list for PID 1564?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did alanhardisty, and it does not show PID 1564. I also don't believe that this was a service on the server trying to authenticate, as the user names being used varied and were random. Some that were used were candy, mail, administrador (that's how it was spelled), alex, alice, and many others.
If there is no Source Address or Source Port, does that indicate that the attack was within the network and not from, say, the internet? Are there other logs in SBS that could be of better help? Could the Security Logs on the clients be of better help?
If there is no Source Address or Source Port, does that indicate that the attack was within the network and not from, say, the internet? Are there other logs in SBS that could be of better help? Could the Security Logs on the clients be of better help?
You could be seeing these events because of Brute Force attacks on the RWW or OWA login pages...
You can test this yourself by attempting to login with a fake user account and then watch as your security logs report the event. You'll see the following for each failed attempt.
I'm going to suggest that this is not a direct attack but rather a bot net that has found your login pages and is going to try to gain access before moving on to another IP.
If your hard pressed to take action you'll need to correlate the failed login events with your firewall logs so you can determine the originating IP and then block it.
I run an FTP server and am constantly under fire... I rely on good passwords to keep the bad guys out. But, if I see a repeat and frequent offender, I'll block the IP.
You can test this yourself by attempting to login with a fake user account and then watch as your security logs report the event. You'll see the following for each failed attempt.
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <server name>
Caller User Name: <server name>$I'm going to suggest that this is not a direct attack but rather a bot net that has found your login pages and is going to try to gain access before moving on to another IP.
If your hard pressed to take action you'll need to correlate the failed login events with your firewall logs so you can determine the originating IP and then block it.
I run an FTP server and am constantly under fire... I rely on good passwords to keep the bad guys out. But, if I see a repeat and frequent offender, I'll block the IP.
+1 to cgaliher comments...
Sorry Cliff, I tend to respond before reading through all the other responses.
Sorry Cliff, I tend to respond before reading through all the other responses.
http://www.wireshark.org/
use this to capture the traffic and you should be able to identify the ip address that is causing your issue