Server Under Attack

Posted on 2012-08-16
Last Modified: 2012-08-19
Hello everyone, lately I've noticed many failed logon attempts on one of my client's main server. It first happened a couple month ago, about 800 or so failed attempts in a half an hour period. Nothing else has happened like that since just two days ago, 500 more failed logon attempts with the same looking attempts. (Event 529, uses Microsoft Authentication Package v1, all random names like "administrator", "test", "anna", "bob" etc) And then just last night 140 or so more failed attempts over a 15 minute period.

There is never any address associated with the event, it just says bad username/password and the info I already stated above.

I configured the firewall they use to send me logs of all traffic and of any attacks, almost immediately I have already received two blocked attacks, the report looks like the following: (With identifiable info removed for now)

08/16/2012 15:07:40.083 -       Back Orifice attack dropped -, 27883, WAN -, 31337, WAN, mail.server.domain -
08/16/2012 15:31:16.383 -       Smurf Amplification attack dropped -, 8, WAN -, 8, WAN -

Server is Small Business Server Windows 2003
Running an Exchange server

Firewall is a SonicWall - SonicOS Standard

I have already done a netstat -an scan and the only ports I find suspicious are UDP and UDP but they might not be anything.

Checked the registry for suspicious software under HKLM\~Windows\CurrentVersion\Run (And a few other folders under \currentversion)

So what I'm wondering is, what should I do? All four of the IP's I x'd out are different, only the last two on the Smurf attack are from the same subnet.
Question by:RADCOMP
    LVL 7

    Assisted Solution

    You cant stop people from trying to attack you - its impossible.  If you have a firewall in front of those devices now, and it is picking up and blocking these attempts, then it is an effective counter measure.  Continue to block this traffic and monitor the servers for more of this activity.  If they continue to reach the server, tweak the firewall rules.

    On the server, make sure it is up to date on patches and has AV, and make sure any built in accounts do not have default passwords.  Also make sure the servers snmp community name is not public or private - if they are change them.
    LVL 1

    Author Comment

    Thanks for the quick response, I will check out the snmp settings later tonight.

    My concern is that if there are multiple attacks going on that maybe some connections have gotten through not using the ports that were blocked.

    I suppose all I can do is monitor the firewall logs during the time of another attack.
    LVL 7

    Assisted Solution

    Av scans on the server will likely reveal any rogue software operating.  The udp port you mentioned are likely nothing to be worried about, but yu can set up a wireshark capture on the box if you are paranoid and see what traffic is leaving the box.  If youre not familiar with wireshark feel free to post. Pcap here and i will analyze
    LVL 1

    Author Comment

    Network traffic has been shoddy lately too, I suspect it has to do with the smurf attack, just throwing this info in here. Read that I should make sure that the firewall/router doesn't respond to pings. And to disallow forwarding of packets directed at broadcast addresses. (Not sure how to accomplish that last bit but according to Wikipedia it won't do anything to prevent the attack anyways, sounds like it just prevents the network from taking part in the smurf attack on other networks.
    LVL 23

    Accepted Solution

    You can run your own scan in the meanwhile

    This can check your firewall for open ports. If you have unneeded ports then close those.

    Also you can MBSA on the network to find out how far you are from the best practices.
    LVL 1

    Author Closing Comment

    I've actually already ran both the tools you linked npsingh123 but they are still worth mentioning for others who might be curious about what to do in this situation.

    Let it be over my weekend and came back to check router logs, Looks like every 1.5 hours the same two attacks run over and over again. I think we're ok tho, I haven't noticed any successful logons from weird sources.

    Just wanted to hear someone expert opinions on best practices for a situation like this, sounds like we are already doing all we can. (Aside from maybe the wireshark suggestion.)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    Read about achieving the basic levels of HRIS security in the workplace.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now