Solved

Intrusion or Active Imagination?

Posted on 2011-02-14
9
441 Views
Last Modified: 2013-12-04
Am I jumping at shadows because of previous experiences?
I think this is an intrusion and password guessing... but how do I track it down?
Small SBS2K3 network with 5 XP Pro clients and the server.

Source      Event ID      Last Occurrence      Total Occurrences
   Security
529      14/02/2011 4:16 AM      1,386 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      hello
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2K3-SERVER'S NAME
       Caller User Name:      SBS2K3-SERVER'S NAME
       Caller Domain:      SBS2K3-SERVER'S DOMAIN NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2596
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Also do let me the general feeling of whether the points offered are appropriate or whether they should be higher / lower!

Thanks in advance!
0
Comment
Question by:BoboLoco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 5

Expert Comment

by:Didier Vally
ID: 34894528
No I don't think it's an intrusion because the error label explicitly shows that this may be an unsuccessful attempt to connect to your machine (through NULL RPC session for example).
0
 

Author Comment

by:BoboLoco
ID: 34895300
Perhaps I mis-spoke when I said "intrusion".   An "attempt at an intrusion" is what I should have said!

Basically no one at the company has a reason to attempting to connect to the server as user "hello".  

So, I want to a) ascertain if there is any chance this is not malicious, b) figure out if it is coming from the outside or the inside and c) swat it by either locking down the outside access or figuring out which of the inside workstations has been compromised and how!

At the firewall level, the only ports open to the world are: 25, 993, and 8443 (https).

The company has had a previous incident where someone rdp'ed to the server with a user's credentials (which had admin priviledges) and proceeded to wipe a bunch of hard drives.
0
 
LVL 2

Expert Comment

by:gtfiji
ID: 34903116
I've seen many cases where a user types his password in the username field by mistake.  Do you require strong passwords?  If not, and if you have a small enough user base, try logging in as each of your users with the password "hello".

If you do require strong passwords, I think it's still possible that somebody who starts with the word "hello" in their password typed those five characters into the wrong field, realized it, then hit enter in order to blank it out.  Don't know how you'd prove that one unless you asked everybody if they start their passwords with the word hello.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:BoboLoco
ID: 34903460
OK:

Interesting idea that someone typed "hello" in the wrong field by mistake.... but, yes, passwords are set to be strong and...  they would have had to try this OVER 1380 times?

Basically I am trying to figure out whether I have to go mental and scan every workstation that connects or could connect at times (MAC VM's; notebooks) to the network to see if it has been compromised, or whether there is any POSSIBLE LEGITIMATE situation where "hello" tried to login... like some process? Job? What have you?

And whether anyone could tell whether this might be coming from the outside or the inside based on the info....
0
 
LVL 2

Expert Comment

by:gtfiji
ID: 34903668
I missed the part about the 1386 attempts!  You said you might just have an active imagination, and I took you at your word.  No, my guess was clearly way off.  It still might be innocuous, like if somebody set up a VPN for themselves at home and then had an automatic logon happening with the username they use at the unsecured network. But yeah, you might have somebody evil knocking on your door.
0
 

Author Comment

by:BoboLoco
ID: 34904049
And if it is someone evil, why did they only try... one user name.... lots of times... in one batch?
 
Are they the "happy go lucky" evil type: "hello" ...  now spend the rest of your week trying to figure out what I did and how I did it?

Or I am now trying to psychoanalyse evil ;- )

I guess I should just go over there and run thousands of scans on each machine!
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 34970475
0
 

Assisted Solution

by:BoboLoco
BoboLoco earned 0 total points
ID: 35098400
A validation that you should come back to questions to see if there are new answers even after you've given up on a reply!

I did resolve the issue a while back and so I should have posted the answer and closed the topic.  But to give credit where credit is due your answer was bang on-ish ;-)

Your link above seems a bit convoluted for my little brain and had I been depending on it would have probably sent me up the wrong tree for a while... BUT, it would have absolutely been a tree in the right yard!

I actually used the old "manual" troubleshooting method: I closed all the firewall ports and opened them up one by one till the issue came back up again!   And when that happened, in all its naked glory there stood "Port 25"!

So yes, someone WAS trying to hack in using port 25.

Should I start a new question now on how to SECURE port 25?
0
 

Author Closing Comment

by:BoboLoco
ID: 35135872
I am adding my comment as part of the solution because it represents the actual solution to the problem.

The experts' solution above my comment was close to the actual solution to the problem so it should get credit as it would have probably led me resolve the issue had I followed it before coming up with my own solution.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question