Solved

Advice on hack attempts on Windows Server 2008 R2

Posted on 2015-01-14
17
341 Views
Last Modified: 2015-01-21
Somebody in Germany (determined by the IP address) has been trying to hack into my Windows 2008R2 server over the last few days continuously using what appears to be a dictionary attack - see below for example security event.
The local administrator account is disabled and I am not convinced they will be successful with the usernames they are trying to use.
What perplexes me is that this machine is behind a Sonicwall firewall and is a virtual machine, I can see no way they can be accessing it.
I have anti-virus running and ran Malwarebytes and it is completely clean.
The IP address is always different but an online IP locator points to the same village in Germany so this could be a bot attack or something similar.
Is there a sure fire way of stopping this, or is it an occupational hazard?
0
Comment
Question by:fuzzyfreak
  • 7
  • 3
  • 2
  • +3
17 Comments
 
LVL 4

Assisted Solution

by:fuzzyfreak
fuzzyfreak earned 0 total points
ID: 40548714
Sorry, forgot this -

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          14/01/2015 11:32:50
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      removed for security
Description:
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            removed for security$
      Account Domain:            removed for security
      Logon ID:            0x3e7

Logon Type:                  10

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            experience
      Account Domain:            removed for security

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0xf34
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      removed for security
      Source Network Address:      31.193.139.222
      Source Port:            57626

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-14T11:32:50.994847800Z" />
    <EventRecordID>1062904</EventRecordID>
    <Correlation />
    <Execution ProcessID="528" ThreadID="1456" />
    <Channel>Security</Channel>
    <Computer>removed for security</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">removed for security$</Data>
    <Data Name="SubjectDomainName">removed for security</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">experience</Data>
    <Data Name="TargetDomainName">removed for security</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">10</Data>
    <Data Name="LogonProcessName">User32 </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">removed for security</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xf34</Data>
    <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
    <Data Name="IpAddress">31.193.139.222</Data>
    <Data Name="IpPort">57626</Data>
  </EventData>
</Event>
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40548720
Hi.

Should that server be usable for logons via internet (RDP/VPN) at all? If not, then your firewall is misconfigured.
0
 
LVL 14

Expert Comment

by:Don Thomson
ID: 40548832
If you do use RDP to access your Servers - Change the port in your firewall to something besides 3389. The firewall should allow you to remap the port back to 3389  automatically while still allowing your users to access the server through RDP.   So if you changed the port that users will use to something like 2378  they would then access RDP by entering 1xx.2xx.3xx.4xx:2378   or youdomain.com:2378
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 50 total points
ID: 40548836
Partially occupational hazard (like web access, it's a bit weird to change the port number to that), partially your own fault (RDP has no hammer protection), so as described above, use another port number (on the modem/router/firewall), but I prefer a MUCH higher number (in case of finding it through port scanning).
In a Windows 2003 environment I wrote a VBScript though to check the eventlog and block (or rather, route back to non working IP) the IP upon failing to log in a few times per xx minutes). Not sure I can adjust it to 2008, but with changing the port numbers, you shouldn't see this even at all (except by valid users, who made a typos during login).
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40548949
Block access from this IP at the firewall. Clearly the actions are unwanted.

I would create rules that auto-add IPs to blacklists when such behavior is noticed.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40548953
Unless you're expecting users from Germany, block the ISP/country at the firewall level.  If you can't, then get a better firewall.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40549078
Thanks for your responses guys, let me take each one in turn -
Yes, this server is used for RDP but only internally - I am not sure how it is being accessed externally unless I have opened the same port on the firewall.
I will have to try and figure out how to change the RDP port on the server.
Blocking the IP is not an option as each time it changes.
Blocking Germany to my firewall is not an option as we travel Internationally.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40549090
Use VPN.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40549091
Create a script that auto-adds the IP to the firewall. Don't block all of Germany, save that behavior for China.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40549092
http://support.microsoft.com/kb/306759/en-GB

I presume this article will work to change my port but how can you tell from my security event that port 3389 was being used?
Does the client need to know about this new port to be able to access the server via RDP?
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40549095
Please explain why I need to make changes to the firewall when this is an internal issue i.e. inside my firewall?
Not sure how VPN would help?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 40549106
There is some forwarding configured at your firewall or it is altogether opening that server to the internet - in any way, it's misconfigured and needs to be reviewed. Your log shows it's logon type 10: Remote Interactive logon, which means remote desktop is tried to be abused.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40549116
Thanks very much for that clarification.  Yes, I have discovered port 3389 is open on the firewall, but this does not necessarily mean it is misconfigured but I do need to discover why that port has been opened and reconfigure.  I'll get back once I have found out where this has been opened in the minefield that is my Sonicwall device.
0
 
LVL 14

Assisted Solution

by:Don Thomson
Don Thomson earned 150 total points
ID: 40549165
You don't have to change the port in the server. This means that your internal RDP users won't need to change the method they currently use.

In the firewall - change the external port to something other than 3389 but keep the internal port at 3389.

Any decent firewall or router will allow you to do this.  This is often done where someone has multiple IP printer locally that they need to access when connected via RDP to an external system. Most printer use 515 or 9100 - if you assign each printer to a different external port then anyone printing to the different port will get to the right printer as the firewall is programmed to change the "Different"port number back to the default for that printer but sends it to the correct IP for that Printer

If you're not sure why the port was opened - change the External port to 53389 _> ServerIP:3389

As soon as you do that - no one trying to access the server using port 3389 on the far side of your router/Firewall will get any access.  They will soon stop trying and go on to the next system.  If a legitimate user tries to get in - you can tell them to add :53389 to the Destination IP .
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 50 total points
ID: 40549323
A VPN requires only one port open on the firewall and requires authentication with the server.  Opening ports open doors to hackers.  Changing the port to a non-standard one and forwarding does little to help.  Many of the attack tools used would simply scan all ports and then attempt to connect via RDS or other protocols.

If you need to provide remote access, then you need to ensure your company is using all the best practices it can to secure the network.  A VPN would be safer than simply port forwarding your RDP protocol.  I don't know what your company does, but if you don't have people CURRENTLY in Germany, block them for the moment - you can always unblock later.

You should also consider getting the appropriate licenses to use Direct Access and other more advanced mechanisms to secure the network.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40549325
Great advice thanks but now I have discovered for which internal servers Terminal Services (and therefore port 3389) is open for. We use VPN for remote access so I am not sure if I need this port open on any of these servers...however I did just get one of our external consultants asking why their RDP access to one of our servers has just stopped working (oops). I may need to give them VPN access so I can close off this port.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40561585
Port plugged, issue gone, thank you all very much for your help and education on this matter!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now