Link to home
Start Free TrialLog in
Avatar of BoboLoco
BoboLoco

asked on

Intrusion or Active Imagination?

Am I jumping at shadows because of previous experiences?
I think this is an intrusion and password guessing... but how do I track it down?
Small SBS2K3 network with 5 XP Pro clients and the server.

Source      Event ID      Last Occurrence      Total Occurrences
   Security
529      14/02/2011 4:16 AM      1,386 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      hello
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2K3-SERVER'S NAME
       Caller User Name:      SBS2K3-SERVER'S NAME
       Caller Domain:      SBS2K3-SERVER'S DOMAIN NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2596
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Also do let me the general feeling of whether the points offered are appropriate or whether they should be higher / lower!

Thanks in advance!
Avatar of Didier Vx
Didier Vx
Flag of France image

No I don't think it's an intrusion because the error label explicitly shows that this may be an unsuccessful attempt to connect to your machine (through NULL RPC session for example).
Avatar of BoboLoco
BoboLoco

ASKER

Perhaps I mis-spoke when I said "intrusion".   An "attempt at an intrusion" is what I should have said!

Basically no one at the company has a reason to attempting to connect to the server as user "hello".  

So, I want to a) ascertain if there is any chance this is not malicious, b) figure out if it is coming from the outside or the inside and c) swat it by either locking down the outside access or figuring out which of the inside workstations has been compromised and how!

At the firewall level, the only ports open to the world are: 25, 993, and 8443 (https).

The company has had a previous incident where someone rdp'ed to the server with a user's credentials (which had admin priviledges) and proceeded to wipe a bunch of hard drives.
I've seen many cases where a user types his password in the username field by mistake.  Do you require strong passwords?  If not, and if you have a small enough user base, try logging in as each of your users with the password "hello".

If you do require strong passwords, I think it's still possible that somebody who starts with the word "hello" in their password typed those five characters into the wrong field, realized it, then hit enter in order to blank it out.  Don't know how you'd prove that one unless you asked everybody if they start their passwords with the word hello.
OK:

Interesting idea that someone typed "hello" in the wrong field by mistake.... but, yes, passwords are set to be strong and...  they would have had to try this OVER 1380 times?

Basically I am trying to figure out whether I have to go mental and scan every workstation that connects or could connect at times (MAC VM's; notebooks) to the network to see if it has been compromised, or whether there is any POSSIBLE LEGITIMATE situation where "hello" tried to login... like some process? Job? What have you?

And whether anyone could tell whether this might be coming from the outside or the inside based on the info....
I missed the part about the 1386 attempts!  You said you might just have an active imagination, and I took you at your word.  No, my guess was clearly way off.  It still might be innocuous, like if somebody set up a VPN for themselves at home and then had an automatic logon happening with the username they use at the unsecured network. But yeah, you might have somebody evil knocking on your door.
And if it is someone evil, why did they only try... one user name.... lots of times... in one batch?
 
Are they the "happy go lucky" evil type: "hello" ...  now spend the rest of your week trying to figure out what I did and how I did it?

Or I am now trying to psychoanalyse evil ;- )

I guess I should just go over there and run thousands of scans on each machine!
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I am adding my comment as part of the solution because it represents the actual solution to the problem.

The experts' solution above my comment was close to the actual solution to the problem so it should get credit as it would have probably led me resolve the issue had I followed it before coming up with my own solution.