• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 846
  • Last Modified:

Server Under Attack

Hello everyone, lately I've noticed many failed logon attempts on one of my client's main server. It first happened a couple month ago, about 800 or so failed attempts in a half an hour period. Nothing else has happened like that since just two days ago, 500 more failed logon attempts with the same looking attempts. (Event 529, uses Microsoft Authentication Package v1, all random names like "administrator", "test", "anna", "bob" etc) And then just last night 140 or so more failed attempts over a 15 minute period.

There is never any address associated with the event, it just says bad username/password and the info I already stated above.

I configured the firewall they use to send me logs of all traffic and of any attacks, almost immediately I have already received two blocked attacks, the report looks like the following: (With identifiable info removed for now)

08/16/2012 15:07:40.083 -       Back Orifice attack dropped -   xxx.xxx.xxx.xxx, 27883, WAN -   xxx.xxx.xxx, 31337, WAN, mail.server.domain -
 
08/16/2012 15:31:16.383 -       Smurf Amplification attack dropped -    xxx.xxx.xxx.xxx, 8, WAN -       xxx.xxx.xxx.xxx, 8, WAN -
----

Server is Small Business Server Windows 2003
Running an Exchange server

Firewall is a SonicWall - SonicOS Standard 3.8.0.1-27s

I have already done a netstat -an scan and the only ports I find suspicious are UDP 0.0.0.0:13370 and UDP 0.0.0.0:31334 but they might not be anything.

Checked the registry for suspicious software under HKLM\~Windows\CurrentVersion\Run (And a few other folders under \currentversion)
---

So what I'm wondering is, what should I do? All four of the IP's I x'd out are different, only the last two on the Smurf attack are from the same subnet.
0
RADCOMP
Asked:
RADCOMP
  • 3
  • 2
3 Solutions
 
southpau1Commented:
You cant stop people from trying to attack you - its impossible.  If you have a firewall in front of those devices now, and it is picking up and blocking these attempts, then it is an effective counter measure.  Continue to block this traffic and monitor the servers for more of this activity.  If they continue to reach the server, tweak the firewall rules.

On the server, make sure it is up to date on patches and has AV, and make sure any built in accounts do not have default passwords.  Also make sure the servers snmp community name is not public or private - if they are change them.
0
 
RADCOMPAuthor Commented:
Thanks for the quick response, I will check out the snmp settings later tonight.

My concern is that if there are multiple attacks going on that maybe some connections have gotten through not using the ports that were blocked.

I suppose all I can do is monitor the firewall logs during the time of another attack.
0
 
southpau1Commented:
Av scans on the server will likely reveal any rogue software operating.  The udp port you mentioned are likely nothing to be worried about, but yu can set up a wireshark capture on the box if you are paranoid and see what traffic is leaving the box.  If youre not familiar with wireshark feel free to post. Pcap here and i will analyze
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
RADCOMPAuthor Commented:
Network traffic has been shoddy lately too, I suspect it has to do with the smurf attack, just throwing this info in here. Read that I should make sure that the firewall/router doesn't respond to pings. And to disallow forwarding of packets directed at broadcast addresses. (Not sure how to accomplish that last bit but according to Wikipedia it won't do anything to prevent the attack anyways, sounds like it just prevents the network from taking part in the smurf attack on other networks.
0
 
Nagendra Pratap SinghDesktop Applications SpecialistCommented:
You can run your own scan in the meanwhile

https://www.grc.com/x/ne.dll?bh0bkyd2

This can check your firewall for open ports. If you have unneeded ports then close those.

Also you can MBSA on the network to find out how far you are from the best practices.

http://en.wikipedia.org/wiki/Microsoft_Baseline_Security_Analyzer
0
 
RADCOMPAuthor Commented:
I've actually already ran both the tools you linked npsingh123 but they are still worth mentioning for others who might be curious about what to do in this situation.

Let it be over my weekend and came back to check router logs, Looks like every 1.5 hours the same two attacks run over and over again. I think we're ok tho, I haven't noticed any successful logons from weird sources.

Just wanted to hear someone expert opinions on best practices for a situation like this, sounds like we are already doing all we can. (Aside from maybe the wireshark suggestion.)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now