Server Under Attack

Posted on 2012-08-16
Medium Priority
Last Modified: 2012-08-19
Hello everyone, lately I've noticed many failed logon attempts on one of my client's main server. It first happened a couple month ago, about 800 or so failed attempts in a half an hour period. Nothing else has happened like that since just two days ago, 500 more failed logon attempts with the same looking attempts. (Event 529, uses Microsoft Authentication Package v1, all random names like "administrator", "test", "anna", "bob" etc) And then just last night 140 or so more failed attempts over a 15 minute period.

There is never any address associated with the event, it just says bad username/password and the info I already stated above.

I configured the firewall they use to send me logs of all traffic and of any attacks, almost immediately I have already received two blocked attacks, the report looks like the following: (With identifiable info removed for now)

08/16/2012 15:07:40.083 -       Back Orifice attack dropped -   xxx.xxx.xxx.xxx, 27883, WAN -   xxx.xxx.xxx, 31337, WAN, mail.server.domain -
08/16/2012 15:31:16.383 -       Smurf Amplification attack dropped -    xxx.xxx.xxx.xxx, 8, WAN -       xxx.xxx.xxx.xxx, 8, WAN -

Server is Small Business Server Windows 2003
Running an Exchange server

Firewall is a SonicWall - SonicOS Standard

I have already done a netstat -an scan and the only ports I find suspicious are UDP and UDP but they might not be anything.

Checked the registry for suspicious software under HKLM\~Windows\CurrentVersion\Run (And a few other folders under \currentversion)

So what I'm wondering is, what should I do? All four of the IP's I x'd out are different, only the last two on the Smurf attack are from the same subnet.
Question by:RADCOMP
  • 3
  • 2

Assisted Solution

southpau1 earned 999 total points
ID: 38302973
You cant stop people from trying to attack you - its impossible.  If you have a firewall in front of those devices now, and it is picking up and blocking these attempts, then it is an effective counter measure.  Continue to block this traffic and monitor the servers for more of this activity.  If they continue to reach the server, tweak the firewall rules.

On the server, make sure it is up to date on patches and has AV, and make sure any built in accounts do not have default passwords.  Also make sure the servers snmp community name is not public or private - if they are change them.

Author Comment

ID: 38303007
Thanks for the quick response, I will check out the snmp settings later tonight.

My concern is that if there are multiple attacks going on that maybe some connections have gotten through not using the ports that were blocked.

I suppose all I can do is monitor the firewall logs during the time of another attack.

Assisted Solution

southpau1 earned 999 total points
ID: 38303037
Av scans on the server will likely reveal any rogue software operating.  The udp port you mentioned are likely nothing to be worried about, but yu can set up a wireshark capture on the box if you are paranoid and see what traffic is leaving the box.  If youre not familiar with wireshark feel free to post. Pcap here and i will analyze
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.


Author Comment

ID: 38303121
Network traffic has been shoddy lately too, I suspect it has to do with the smurf attack, just throwing this info in here. Read that I should make sure that the firewall/router doesn't respond to pings. And to disallow forwarding of packets directed at broadcast addresses. (Not sure how to accomplish that last bit but according to Wikipedia it won't do anything to prevent the attack anyways, sounds like it just prevents the network from taking part in the smurf attack on other networks.
LVL 24

Accepted Solution

Nagendra Pratap Singh earned 501 total points
ID: 38303429
You can run your own scan in the meanwhile


This can check your firewall for open ports. If you have unneeded ports then close those.

Also you can MBSA on the network to find out how far you are from the best practices.


Author Closing Comment

ID: 38309895
I've actually already ran both the tools you linked npsingh123 but they are still worth mentioning for others who might be curious about what to do in this situation.

Let it be over my weekend and came back to check router logs, Looks like every 1.5 hours the same two attacks run over and over again. I think we're ok tho, I haven't noticed any successful logons from weird sources.

Just wanted to hear someone expert opinions on best practices for a situation like this, sounds like we are already doing all we can. (Aside from maybe the wireshark suggestion.)

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question