Advice on hack attempts on Windows Server 2008 R2

Posted on 2015-01-14
Last Modified: 2015-01-21
Somebody in Germany (determined by the IP address) has been trying to hack into my Windows 2008R2 server over the last few days continuously using what appears to be a dictionary attack - see below for example security event.
The local administrator account is disabled and I am not convinced they will be successful with the usernames they are trying to use.
What perplexes me is that this machine is behind a Sonicwall firewall and is a virtual machine, I can see no way they can be accessing it.
I have anti-virus running and ran Malwarebytes and it is completely clean.
The IP address is always different but an online IP locator points to the same village in Germany so this could be a bot attack or something similar.
Is there a sure fire way of stopping this, or is it an occupational hazard?
Question by:fuzzyfreak
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +3

Assisted Solution

fuzzyfreak earned 0 total points
ID: 40548714
Sorry, forgot this -

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          14/01/2015 11:32:50
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      removed for security
An account failed to log on.

      Security ID:            SYSTEM
      Account Name:            removed for security$
      Account Domain:            removed for security
      Logon ID:            0x3e7

Logon Type:                  10

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            experience
      Account Domain:            removed for security

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0xf34
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      removed for security
      Source Network Address:
      Source Port:            57626

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2015-01-14T11:32:50.994847800Z" />
    <Correlation />
    <Execution ProcessID="528" ThreadID="1456" />
    <Computer>removed for security</Computer>
    <Security />
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">removed for security$</Data>
    <Data Name="SubjectDomainName">removed for security</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">experience</Data>
    <Data Name="TargetDomainName">removed for security</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">10</Data>
    <Data Name="LogonProcessName">User32 </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">removed for security</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xf34</Data>
    <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
    <Data Name="IpAddress"></Data>
    <Data Name="IpPort">57626</Data>
LVL 54

Expert Comment

ID: 40548720

Should that server be usable for logons via internet (RDP/VPN) at all? If not, then your firewall is misconfigured.
LVL 14

Expert Comment

by:Don Thomson
ID: 40548832
If you do use RDP to access your Servers - Change the port in your firewall to something besides 3389. The firewall should allow you to remap the port back to 3389  automatically while still allowing your users to access the server through RDP.   So if you changed the port that users will use to something like 2378  they would then access RDP by entering 1xx.2xx.3xx.4xx:2378   or
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

LVL 35

Assisted Solution

Kimputer earned 50 total points
ID: 40548836
Partially occupational hazard (like web access, it's a bit weird to change the port number to that), partially your own fault (RDP has no hammer protection), so as described above, use another port number (on the modem/router/firewall), but I prefer a MUCH higher number (in case of finding it through port scanning).
In a Windows 2003 environment I wrote a VBScript though to check the eventlog and block (or rather, route back to non working IP) the IP upon failing to log in a few times per xx minutes). Not sure I can adjust it to 2008, but with changing the port numbers, you shouldn't see this even at all (except by valid users, who made a typos during login).

Expert Comment

by:Sean Jackson
ID: 40548949
Block access from this IP at the firewall. Clearly the actions are unwanted.

I would create rules that auto-add IPs to blacklists when such behavior is noticed.
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40548953
Unless you're expecting users from Germany, block the ISP/country at the firewall level.  If you can't, then get a better firewall.

Author Comment

ID: 40549078
Thanks for your responses guys, let me take each one in turn -
Yes, this server is used for RDP but only internally - I am not sure how it is being accessed externally unless I have opened the same port on the firewall.
I will have to try and figure out how to change the RDP port on the server.
Blocking the IP is not an option as each time it changes.
Blocking Germany to my firewall is not an option as we travel Internationally.
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40549090
Use VPN.

Expert Comment

by:Sean Jackson
ID: 40549091
Create a script that auto-adds the IP to the firewall. Don't block all of Germany, save that behavior for China.

Author Comment

ID: 40549092

I presume this article will work to change my port but how can you tell from my security event that port 3389 was being used?
Does the client need to know about this new port to be able to access the server via RDP?

Author Comment

ID: 40549095
Please explain why I need to make changes to the firewall when this is an internal issue i.e. inside my firewall?
Not sure how VPN would help?
LVL 54

Accepted Solution

McKnife earned 250 total points
ID: 40549106
There is some forwarding configured at your firewall or it is altogether opening that server to the internet - in any way, it's misconfigured and needs to be reviewed. Your log shows it's logon type 10: Remote Interactive logon, which means remote desktop is tried to be abused.

Author Comment

ID: 40549116
Thanks very much for that clarification.  Yes, I have discovered port 3389 is open on the firewall, but this does not necessarily mean it is misconfigured but I do need to discover why that port has been opened and reconfigure.  I'll get back once I have found out where this has been opened in the minefield that is my Sonicwall device.
LVL 14

Assisted Solution

by:Don Thomson
Don Thomson earned 150 total points
ID: 40549165
You don't have to change the port in the server. This means that your internal RDP users won't need to change the method they currently use.

In the firewall - change the external port to something other than 3389 but keep the internal port at 3389.

Any decent firewall or router will allow you to do this.  This is often done where someone has multiple IP printer locally that they need to access when connected via RDP to an external system. Most printer use 515 or 9100 - if you assign each printer to a different external port then anyone printing to the different port will get to the right printer as the firewall is programmed to change the "Different"port number back to the default for that printer but sends it to the correct IP for that Printer

If you're not sure why the port was opened - change the External port to 53389 _> ServerIP:3389

As soon as you do that - no one trying to access the server using port 3389 on the far side of your router/Firewall will get any access.  They will soon stop trying and go on to the next system.  If a legitimate user tries to get in - you can tell them to add :53389 to the Destination IP .
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 50 total points
ID: 40549323
A VPN requires only one port open on the firewall and requires authentication with the server.  Opening ports open doors to hackers.  Changing the port to a non-standard one and forwarding does little to help.  Many of the attack tools used would simply scan all ports and then attempt to connect via RDS or other protocols.

If you need to provide remote access, then you need to ensure your company is using all the best practices it can to secure the network.  A VPN would be safer than simply port forwarding your RDP protocol.  I don't know what your company does, but if you don't have people CURRENTLY in Germany, block them for the moment - you can always unblock later.

You should also consider getting the appropriate licenses to use Direct Access and other more advanced mechanisms to secure the network.

Author Comment

ID: 40549325
Great advice thanks but now I have discovered for which internal servers Terminal Services (and therefore port 3389) is open for. We use VPN for remote access so I am not sure if I need this port open on any of these servers...however I did just get one of our external consultants asking why their RDP access to one of our servers has just stopped working (oops). I may need to give them VPN access so I can close off this port.

Author Closing Comment

ID: 40561585
Port plugged, issue gone, thank you all very much for your help and education on this matter!

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question