We help IT Professionals succeed at work.

Dictionary Attack Assistance

Hello,

I am running an sbs server 2003.
I am getting several login failures everyday.
The user accounts do not exist on our domain.

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      office
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      xxxxxxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      27500
       Transited Services:      -
       Source Network Address:      -
       Source Port:      

The alerts are very similiar except for the username, they are basic names like, ftp, webadmin, fax.
We were getting even more and varied alerts until I removed rdp at the server and blocked it at the firewall.
Furthermore, a few months ago there was an issue where the Exchange server was sending out hundreds of thousands of spam emails, because someone hijacked it. That issue is resolved.
I've run malwarebytes and trend micro scans but didn't find anything.
Finally, I did notice a random user profile folder and AD user that was just 4 numbers, in the download folder within the profile there was hacking software. I have disabled that user.

Any ideas?

Thank you.
Comment
Watch Question

I think the best way to do this is to find the IP address(es) that the attacker(s) are connecting from, and block them on your firewall. Check the "Source Network Address" field. If it's an internal address, find out which workstation it is and make sure it's not infected/hacked. If it's an external address, just block it on the firewall.
John MeggersNetwork Architect

Commented:
You may also want to check whether there is inside traffic destined for those IP addresses, and block them going out as well.  In theory as long as you block one way, they won't be communicating, but my thinking is it never hurts to block both directions.

Author

Commented:
Thanks for the responses.
The failures are coming from different ip addresses over many ports.
I think I do need to get some type of packet sniffing software.
lookup the IP addresses. Are they coming from a specific country? (e.g. China) if so, set up a geographic blocklist to deny access from certain countries.

Author

Commented:
Thank you for your input.
I ended up renaming the admin account and shutting off rdp for a week.
The attempts are few so anything else would be too intrusive of a response for the client.

Author

Commented:
Splitting Points.