• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

Intrusion or Active Imagination?

Am I jumping at shadows because of previous experiences?
I think this is an intrusion and password guessing... but how do I track it down?
Small SBS2K3 network with 5 XP Pro clients and the server.

Source      Event ID      Last Occurrence      Total Occurrences
   Security
529      14/02/2011 4:16 AM      1,386 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      hello
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2K3-SERVER'S NAME
       Caller User Name:      SBS2K3-SERVER'S NAME
       Caller Domain:      SBS2K3-SERVER'S DOMAIN NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2596
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Also do let me the general feeling of whether the points offered are appropriate or whether they should be higher / lower!

Thanks in advance!
0
BoboLoco
Asked:
BoboLoco
2 Solutions
 
Didier VallySystems Engineer and Finance AnalystCommented:
No I don't think it's an intrusion because the error label explicitly shows that this may be an unsuccessful attempt to connect to your machine (through NULL RPC session for example).
0
 
BoboLocoAuthor Commented:
Perhaps I mis-spoke when I said "intrusion".   An "attempt at an intrusion" is what I should have said!

Basically no one at the company has a reason to attempting to connect to the server as user "hello".  

So, I want to a) ascertain if there is any chance this is not malicious, b) figure out if it is coming from the outside or the inside and c) swat it by either locking down the outside access or figuring out which of the inside workstations has been compromised and how!

At the firewall level, the only ports open to the world are: 25, 993, and 8443 (https).

The company has had a previous incident where someone rdp'ed to the server with a user's credentials (which had admin priviledges) and proceeded to wipe a bunch of hard drives.
0
 
gtfijiCommented:
I've seen many cases where a user types his password in the username field by mistake.  Do you require strong passwords?  If not, and if you have a small enough user base, try logging in as each of your users with the password "hello".

If you do require strong passwords, I think it's still possible that somebody who starts with the word "hello" in their password typed those five characters into the wrong field, realized it, then hit enter in order to blank it out.  Don't know how you'd prove that one unless you asked everybody if they start their passwords with the word hello.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
BoboLocoAuthor Commented:
OK:

Interesting idea that someone typed "hello" in the wrong field by mistake.... but, yes, passwords are set to be strong and...  they would have had to try this OVER 1380 times?

Basically I am trying to figure out whether I have to go mental and scan every workstation that connects or could connect at times (MAC VM's; notebooks) to the network to see if it has been compromised, or whether there is any POSSIBLE LEGITIMATE situation where "hello" tried to login... like some process? Job? What have you?

And whether anyone could tell whether this might be coming from the outside or the inside based on the info....
0
 
gtfijiCommented:
I missed the part about the 1386 attempts!  You said you might just have an active imagination, and I took you at your word.  No, my guess was clearly way off.  It still might be innocuous, like if somebody set up a VPN for themselves at home and then had an automatic logon happening with the username they use at the unsecured network. But yeah, you might have somebody evil knocking on your door.
0
 
BoboLocoAuthor Commented:
And if it is someone evil, why did they only try... one user name.... lots of times... in one batch?
 
Are they the "happy go lucky" evil type: "hello" ...  now spend the rest of your week trying to figure out what I did and how I did it?

Or I am now trying to psychoanalyse evil ;- )

I guess I should just go over there and run thousands of scans on each machine!
0
 
BoboLocoAuthor Commented:
A validation that you should come back to questions to see if there are new answers even after you've given up on a reply!

I did resolve the issue a while back and so I should have posted the answer and closed the topic.  But to give credit where credit is due your answer was bang on-ish ;-)

Your link above seems a bit convoluted for my little brain and had I been depending on it would have probably sent me up the wrong tree for a while... BUT, it would have absolutely been a tree in the right yard!

I actually used the old "manual" troubleshooting method: I closed all the firewall ports and opened them up one by one till the issue came back up again!   And when that happened, in all its naked glory there stood "Port 25"!

So yes, someone WAS trying to hack in using port 25.

Should I start a new question now on how to SECURE port 25?
0
 
BoboLocoAuthor Commented:
I am adding my comment as part of the solution because it represents the actual solution to the problem.

The experts' solution above my comment was close to the actual solution to the problem so it should get credit as it would have probably led me resolve the issue had I followed it before coming up with my own solution.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now