Server Under Attack
Posted on 2012-08-16
Hello everyone, lately I've noticed many failed logon attempts on one of my client's main server. It first happened a couple month ago, about 800 or so failed attempts in a half an hour period. Nothing else has happened like that since just two days ago, 500 more failed logon attempts with the same looking attempts. (Event 529, uses Microsoft Authentication Package v1, all random names like "administrator", "test", "anna", "bob" etc) And then just last night 140 or so more failed attempts over a 15 minute period.
There is never any address associated with the event, it just says bad username/password and the info I already stated above.
I configured the firewall they use to send me logs of all traffic and of any attacks, almost immediately I have already received two blocked attacks, the report looks like the following: (With identifiable info removed for now)
08/16/2012 15:07:40.083 - Back Orifice attack dropped - xxx.xxx.xxx.xxx, 27883, WAN - xxx.xxx.xxx, 31337, WAN, mail.server.domain -
08/16/2012 15:31:16.383 - Smurf Amplification attack dropped - xxx.xxx.xxx.xxx, 8, WAN - xxx.xxx.xxx.xxx, 8, WAN -
Server is Small Business Server Windows 2003
Running an Exchange server
Firewall is a SonicWall - SonicOS Standard 22.214.171.124-27s
I have already done a netstat -an scan and the only ports I find suspicious are UDP 0.0.0.0:13370 and UDP 0.0.0.0:31334 but they might not be anything.
Checked the registry for suspicious software under HKLM\~Windows\CurrentVersion\Run (And a few other folders under \currentversion)
So what I'm wondering is, what should I do? All four of the IP's I x'd out are different, only the last two on the Smurf attack are from the same subnet.