BEUSER
Hi,
I have a Windows 2008 server (domain joined). As you can see in the events listed below, unknown user account 'beuser' has successfully logged in to Terminal server from IP address Network Address: 85.31.101.229 using Port# 50227 with Workstation Name "ШУРА-ПК".
Clearly this user name BEUSER does not exist in Active Directory. When I run IP Trace, It says: Continent: Europe (EU) Country: Latvia and we don't have any computer user living outside US.
How is it possible for anyone to log in wit this user account?
Is the port# 50227 is designed to accept BEUSER?
I have Linksys Router that does NAT and port forwarding and I run Backup Exec software on the Domain Controller.
Can you help?
--------------------------
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: Domain_Name\BEUser
Account Name: BEUser
Account Domain: NHECO
Logon ID: 0x147e7e
Logon GUID: {00000000-0000-0000-0000-0
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: ШУРА-ПК
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
--------------------------
Network Information:
Network Address: 85.31.101.229
Port: 50227
--------------------------
I have a Windows 2008 server (domain joined). As you can see in the events listed below, unknown user account 'beuser' has successfully logged in to Terminal server from IP address Network Address: 85.31.101.229 using Port# 50227 with Workstation Name "ШУРА-ПК".
Clearly this user name BEUSER does not exist in Active Directory. When I run IP Trace, It says: Continent: Europe (EU) Country: Latvia and we don't have any computer user living outside US.
How is it possible for anyone to log in wit this user account?
Is the port# 50227 is designed to accept BEUSER?
I have Linksys Router that does NAT and port forwarding and I run Backup Exec software on the Domain Controller.
Can you help?
--------------------------
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: Domain_Name\BEUser
Account Name: BEUser
Account Domain: NHECO
Logon ID: 0x147e7e
Logon GUID: {00000000-0000-0000-0000-0
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: ШУРА-ПК
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
--------------------------
Network Information:
Network Address: 85.31.101.229
Port: 50227
--------------------------
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
My bad. BEUSER is in Active Directory.
Can I block access from IP address 85.31.101.229 and shut down port number 50227?
Can I block access from IP address 85.31.101.229 and shut down port number 50227?
You can, but if they already logged in and BEUser runs under the system context (not uncommon for backup agents to do their thing) then chances are the damage is done. They could've opened a ton of other back doors and compromised systems given the situation.
The real question becomes why was this open in the first place. Again, lax security posture. Or did the person already have some other access to get that port open. Too many unknowns. This would need a full forensic investigation at this point. It isn't a small thing that has happened here. That is a successful logon from a known bad actor with very likely elevated privileges.
The real question becomes why was this open in the first place. Again, lax security posture. Or did the person already have some other access to get that port open. Too many unknowns. This would need a full forensic investigation at this point. It isn't a small thing that has happened here. That is a successful logon from a known bad actor with very likely elevated privileges.
I suggest you manage the remote access closely. See example.
https://security.berkeley.edu/resources/best-practices-how-articles/securing-remote-desktop-rdp-system-administrators
Have such remote access enforce 2FA authentication. E.g. RD Gateways do provide a simple mechanism for controlling authentication via two factor certificate based smartcards. Other two factor approaches need another approach at the Remote Desktop host itself e.g. YubiKey, RSA.
Using a RDP Gateway is strongly recommended. It provides a way to tightly restrict access to Remote Desktop ports while supporting remote connections through a single "Gateway" server.
If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service. To control access to the systems even more, using “Restricted Groups” via Group Policy is also helpful.
Windows 7, and Windows Server 2008 also provide Network Level Authentication (NLA) by default. It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don't support it.
PS, ШУРА-ПК means SHURA-PC. Seems to suggest a Arabic PC. Since it is login I believe the account is like compromised using some default password etc. Change to strong passphrase.
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
https://security.berkeley.edu/resources/best-practices-how-articles/securing-remote-desktop-rdp-system-administrators
Have such remote access enforce 2FA authentication. E.g. RD Gateways do provide a simple mechanism for controlling authentication via two factor certificate based smartcards. Other two factor approaches need another approach at the Remote Desktop host itself e.g. YubiKey, RSA.
Using a RDP Gateway is strongly recommended. It provides a way to tightly restrict access to Remote Desktop ports while supporting remote connections through a single "Gateway" server.
If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service. To control access to the systems even more, using “Restricted Groups” via Group Policy is also helpful.
Windows 7, and Windows Server 2008 also provide Network Level Authentication (NLA) by default. It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don't support it.
PS, ШУРА-ПК means SHURA-PC. Seems to suggest a Arabic PC. Since it is login I believe the account is like compromised using some default password etc. Change to strong passphrase.
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking
From novice to tech pro — start learning today.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
Nothing in your post "clearly" proved that this user does not exist. And in fact, the evidence posted is that this user account does exist.
My guess is that BE stands for Backup Exec and installing backup exec created the user. And either due to bugs in BE (none public that I could find) or by lax security practices in the environment, a compromise has since occurred.
If this Latvian hacker has since had domain admin/system level access to the domain controllerl, your basically looking at a painful full domain rebuild from scratch.