Solved

How to prevent unwanted logins on server?

Posted on 2013-10-25
5
592 Views
Last Modified: 2013-11-22
We have a cloud server on Rackspace. The event log revealed thousand of login attempts via winlogon.exe. We restricted Remote Desktop access to our IP. But, now the attack appears to be coming from within our domain. 3 of our 25 domain computers are attempting to login about 5 times per second.

We use Symantec antivirus and the definitions are up to date. We have started full scans of the machines. In the mean time has anyone seen this before? Our in-house server is fine.
0
Comment
Question by:gerrystrat
  • 2
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
btan earned 333 total points
ID: 39602588
I assumed the logon type you saw is 10, which indicates that the logon attempt was a remote interactive attempt via Terminal Services or Remote Desktop. As best practice, I would not expose Remote Desktop without a smart card or VPN solution.

Quite sometime ago, this is an MS RDP vulnerability
https://technet.microsoft.com/en-us/security/bulletin/ms12-020
https://secunia.com/advisories/48395

You can't stop someone from attempting the attack, but you can reduce their chance of success by keeping the system up to date with patches, by using some type of IDS/IPS, and auditing your logs regularly to stay aware of the frequency and volume of the attempts. E..g consider calling up your hosting provider and have them white list your source IP's for 3389 and drop all other traffic not originating from your sources.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/76577df7-02dc-45fc-87d3-71edf9b51ab1/2003-terminal-server-winlogonexe-csrssexe-attack?forum=winserverTS
0
 
LVL 3

Assisted Solution

by:w_richard
w_richard earned 167 total points
ID: 39605274
There are no easy or really airtight solution for this.

But first of all communication to the backend should at least use SSL encryption to minimize the risk for a man in the middle attack.

have a look at this video link,..

http://www.youtube.com/watch?v=AcQVGRy00

And can be it turned out to be caused by an attempt to get into the server through Remote Desktop/Terminal Services - either a brute-force or massive dictionary attack (every RDP logon attempt causes LogonUI to spawn). Check your System and Security event logs, they'll contain more information (such as the originating IP of any failed remote logon attempts).
0
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 39605430
Go for baseline image for all workstation and baseline netowkr traffic norm especially on the critical services. Capturing the loading metric using snmp and piping syslog to siems can piece big ops picture to drill into anomalies. For those playful workstation likely they are breached unintentionally via usb drive and causing malware doing internal callback and recon. ..it is just an assumption but to start off as clean slate and hardened state will help to isolate and response faster.

Key is continuous monitoring
0
 

Author Closing Comment

by:gerrystrat
ID: 39606477
w_richard, the video no longer exists
0
 
LVL 3

Expert Comment

by:w_richard
ID: 39608025
May be it was removed up as I watched and gave you the link for the same.

Sorry about this.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question