Solved

Intrusion or Active Imagination?

Posted on 2011-02-14
9
436 Views
Last Modified: 2013-12-04
Am I jumping at shadows because of previous experiences?
I think this is an intrusion and password guessing... but how do I track it down?
Small SBS2K3 network with 5 XP Pro clients and the server.

Source      Event ID      Last Occurrence      Total Occurrences
   Security
529      14/02/2011 4:16 AM      1,386 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      hello
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2K3-SERVER'S NAME
       Caller User Name:      SBS2K3-SERVER'S NAME
       Caller Domain:      SBS2K3-SERVER'S DOMAIN NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2596
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Also do let me the general feeling of whether the points offered are appropriate or whether they should be higher / lower!

Thanks in advance!
0
Comment
Question by:BoboLoco
9 Comments
 
LVL 5

Expert Comment

by:Didier Vally
Comment Utility
No I don't think it's an intrusion because the error label explicitly shows that this may be an unsuccessful attempt to connect to your machine (through NULL RPC session for example).
0
 

Author Comment

by:BoboLoco
Comment Utility
Perhaps I mis-spoke when I said "intrusion".   An "attempt at an intrusion" is what I should have said!

Basically no one at the company has a reason to attempting to connect to the server as user "hello".  

So, I want to a) ascertain if there is any chance this is not malicious, b) figure out if it is coming from the outside or the inside and c) swat it by either locking down the outside access or figuring out which of the inside workstations has been compromised and how!

At the firewall level, the only ports open to the world are: 25, 993, and 8443 (https).

The company has had a previous incident where someone rdp'ed to the server with a user's credentials (which had admin priviledges) and proceeded to wipe a bunch of hard drives.
0
 
LVL 2

Expert Comment

by:gtfiji
Comment Utility
I've seen many cases where a user types his password in the username field by mistake.  Do you require strong passwords?  If not, and if you have a small enough user base, try logging in as each of your users with the password "hello".

If you do require strong passwords, I think it's still possible that somebody who starts with the word "hello" in their password typed those five characters into the wrong field, realized it, then hit enter in order to blank it out.  Don't know how you'd prove that one unless you asked everybody if they start their passwords with the word hello.
0
 

Author Comment

by:BoboLoco
Comment Utility
OK:

Interesting idea that someone typed "hello" in the wrong field by mistake.... but, yes, passwords are set to be strong and...  they would have had to try this OVER 1380 times?

Basically I am trying to figure out whether I have to go mental and scan every workstation that connects or could connect at times (MAC VM's; notebooks) to the network to see if it has been compromised, or whether there is any POSSIBLE LEGITIMATE situation where "hello" tried to login... like some process? Job? What have you?

And whether anyone could tell whether this might be coming from the outside or the inside based on the info....
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Expert Comment

by:gtfiji
Comment Utility
I missed the part about the 1386 attempts!  You said you might just have an active imagination, and I took you at your word.  No, my guess was clearly way off.  It still might be innocuous, like if somebody set up a VPN for themselves at home and then had an automatic logon happening with the username they use at the unsecured network. But yeah, you might have somebody evil knocking on your door.
0
 

Author Comment

by:BoboLoco
Comment Utility
And if it is someone evil, why did they only try... one user name.... lots of times... in one batch?
 
Are they the "happy go lucky" evil type: "hello" ...  now spend the rest of your week trying to figure out what I did and how I did it?

Or I am now trying to psychoanalyse evil ;- )

I guess I should just go over there and run thousands of scans on each machine!
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
0
 

Assisted Solution

by:BoboLoco
BoboLoco earned 0 total points
Comment Utility
A validation that you should come back to questions to see if there are new answers even after you've given up on a reply!

I did resolve the issue a while back and so I should have posted the answer and closed the topic.  But to give credit where credit is due your answer was bang on-ish ;-)

Your link above seems a bit convoluted for my little brain and had I been depending on it would have probably sent me up the wrong tree for a while... BUT, it would have absolutely been a tree in the right yard!

I actually used the old "manual" troubleshooting method: I closed all the firewall ports and opened them up one by one till the issue came back up again!   And when that happened, in all its naked glory there stood "Port 25"!

So yes, someone WAS trying to hack in using port 25.

Should I start a new question now on how to SECURE port 25?
0
 

Author Closing Comment

by:BoboLoco
Comment Utility
I am adding my comment as part of the solution because it represents the actual solution to the problem.

The experts' solution above my comment was close to the actual solution to the problem so it should get credit as it would have probably led me resolve the issue had I followed it before coming up with my own solution.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now