FlynnKeilty
asked on
Dictionary Attack Assistance
Hello,
I am running an sbs server 2003.
I am getting several login failures everyday.
The user accounts do not exist on our domain.
Logon Failure:
Reason: Unknown user name or bad password
User Name: office
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: xxxxxxx
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 27500
Transited Services: -
Source Network Address: -
Source Port:
The alerts are very similiar except for the username, they are basic names like, ftp, webadmin, fax.
We were getting even more and varied alerts until I removed rdp at the server and blocked it at the firewall.
Furthermore, a few months ago there was an issue where the Exchange server was sending out hundreds of thousands of spam emails, because someone hijacked it. That issue is resolved.
I've run malwarebytes and trend micro scans but didn't find anything.
Finally, I did notice a random user profile folder and AD user that was just 4 numbers, in the download folder within the profile there was hacking software. I have disabled that user.
Any ideas?
Thank you.
I am running an sbs server 2003.
I am getting several login failures everyday.
The user accounts do not exist on our domain.
Logon Failure:
Reason: Unknown user name or bad password
User Name: office
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: xxxxxxx
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 27500
Transited Services: -
Source Network Address: -
Source Port:
The alerts are very similiar except for the username, they are basic names like, ftp, webadmin, fax.
We were getting even more and varied alerts until I removed rdp at the server and blocked it at the firewall.
Furthermore, a few months ago there was an issue where the Exchange server was sending out hundreds of thousands of spam emails, because someone hijacked it. That issue is resolved.
I've run malwarebytes and trend micro scans but didn't find anything.
Finally, I did notice a random user profile folder and AD user that was just 4 numbers, in the download folder within the profile there was hacking software. I have disabled that user.
Any ideas?
Thank you.
I think the best way to do this is to find the IP address(es) that the attacker(s) are connecting from, and block them on your firewall. Check the "Source Network Address" field. If it's an internal address, find out which workstation it is and make sure it's not infected/hacked. If it's an external address, just block it on the firewall.
You may also want to check whether there is inside traffic destined for those IP addresses, and block them going out as well. In theory as long as you block one way, they won't be communicating, but my thinking is it never hurts to block both directions.
ASKER
Thanks for the responses.
The failures are coming from different ip addresses over many ports.
I think I do need to get some type of packet sniffing software.
The failures are coming from different ip addresses over many ports.
I think I do need to get some type of packet sniffing software.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your input.
I ended up renaming the admin account and shutting off rdp for a week.
The attempts are few so anything else would be too intrusive of a response for the client.
I ended up renaming the admin account and shutting off rdp for a week.
The attempts are few so anything else would be too intrusive of a response for the client.
ASKER
Splitting Points.