Solved

Intrusion or Active Imagination?

Posted on 2011-02-14
9
442 Views
Last Modified: 2013-12-04
Am I jumping at shadows because of previous experiences?
I think this is an intrusion and password guessing... but how do I track it down?
Small SBS2K3 network with 5 XP Pro clients and the server.

Source      Event ID      Last Occurrence      Total Occurrences
   Security
529      14/02/2011 4:16 AM      1,386 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      hello
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2K3-SERVER'S NAME
       Caller User Name:      SBS2K3-SERVER'S NAME
       Caller Domain:      SBS2K3-SERVER'S DOMAIN NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2596
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Also do let me the general feeling of whether the points offered are appropriate or whether they should be higher / lower!

Thanks in advance!
0
Comment
Question by:BoboLoco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 5

Expert Comment

by:Didier Vally
ID: 34894528
No I don't think it's an intrusion because the error label explicitly shows that this may be an unsuccessful attempt to connect to your machine (through NULL RPC session for example).
0
 

Author Comment

by:BoboLoco
ID: 34895300
Perhaps I mis-spoke when I said "intrusion".   An "attempt at an intrusion" is what I should have said!

Basically no one at the company has a reason to attempting to connect to the server as user "hello".  

So, I want to a) ascertain if there is any chance this is not malicious, b) figure out if it is coming from the outside or the inside and c) swat it by either locking down the outside access or figuring out which of the inside workstations has been compromised and how!

At the firewall level, the only ports open to the world are: 25, 993, and 8443 (https).

The company has had a previous incident where someone rdp'ed to the server with a user's credentials (which had admin priviledges) and proceeded to wipe a bunch of hard drives.
0
 
LVL 2

Expert Comment

by:gtfiji
ID: 34903116
I've seen many cases where a user types his password in the username field by mistake.  Do you require strong passwords?  If not, and if you have a small enough user base, try logging in as each of your users with the password "hello".

If you do require strong passwords, I think it's still possible that somebody who starts with the word "hello" in their password typed those five characters into the wrong field, realized it, then hit enter in order to blank it out.  Don't know how you'd prove that one unless you asked everybody if they start their passwords with the word hello.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:BoboLoco
ID: 34903460
OK:

Interesting idea that someone typed "hello" in the wrong field by mistake.... but, yes, passwords are set to be strong and...  they would have had to try this OVER 1380 times?

Basically I am trying to figure out whether I have to go mental and scan every workstation that connects or could connect at times (MAC VM's; notebooks) to the network to see if it has been compromised, or whether there is any POSSIBLE LEGITIMATE situation where "hello" tried to login... like some process? Job? What have you?

And whether anyone could tell whether this might be coming from the outside or the inside based on the info....
0
 
LVL 2

Expert Comment

by:gtfiji
ID: 34903668
I missed the part about the 1386 attempts!  You said you might just have an active imagination, and I took you at your word.  No, my guess was clearly way off.  It still might be innocuous, like if somebody set up a VPN for themselves at home and then had an automatic logon happening with the username they use at the unsecured network. But yeah, you might have somebody evil knocking on your door.
0
 

Author Comment

by:BoboLoco
ID: 34904049
And if it is someone evil, why did they only try... one user name.... lots of times... in one batch?
 
Are they the "happy go lucky" evil type: "hello" ...  now spend the rest of your week trying to figure out what I did and how I did it?

Or I am now trying to psychoanalyse evil ;- )

I guess I should just go over there and run thousands of scans on each machine!
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 34970475
0
 

Assisted Solution

by:BoboLoco
BoboLoco earned 0 total points
ID: 35098400
A validation that you should come back to questions to see if there are new answers even after you've given up on a reply!

I did resolve the issue a while back and so I should have posted the answer and closed the topic.  But to give credit where credit is due your answer was bang on-ish ;-)

Your link above seems a bit convoluted for my little brain and had I been depending on it would have probably sent me up the wrong tree for a while... BUT, it would have absolutely been a tree in the right yard!

I actually used the old "manual" troubleshooting method: I closed all the firewall ports and opened them up one by one till the issue came back up again!   And when that happened, in all its naked glory there stood "Port 25"!

So yes, someone WAS trying to hack in using port 25.

Should I start a new question now on how to SECURE port 25?
0
 

Author Closing Comment

by:BoboLoco
ID: 35135872
I am adding my comment as part of the solution because it represents the actual solution to the problem.

The experts' solution above my comment was close to the actual solution to the problem so it should get credit as it would have probably led me resolve the issue had I followed it before coming up with my own solution.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question