Announcement

Collapse
No announcement yet.

login attacks - need advice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • login attacks - need advice

    Hello everyone.. just found this forum. I've got a problem with server security... and I know little on the subject and could use some advice.

    Recently my server (Windows 2003, running IIS6) has been the victim of massive login attacks... by that I mean they event viewer shows a massive number of failed login attempts, often thousands at a time! Here is an example of one of those events:

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Admin
    Domain: AXXXXXX
    Logon Type: 8
    Logon Process: IIS
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: BXXXXXX
    Caller User Name: BXXXXXX$
    Caller Domain: AXXXXXX
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 1812
    Transited Services: -
    Source Network Address: -
    Source Port: -

    The user 'Admin' does not exist on my system, the user 'adam' (also non-existant) was tried about thousand times before this one. My guess is that whatever is attacking my server is just going through the alphabet trying to find a user/password combination to get into the server. However, I have no idea what to do about it. I don't even know where it's coming from, as the event viewer doesn't show the ip address of the source (which it usually does). Are there other logs that I could look into that might give me more information? Are there ways to automatically block sources that make too many failed login attempts? Is there anything at all that I can do to fight this? I'm afraid they'll eventually get in (if they haven't already), and even if they don't get it... the barrage of login attempts is really slowing down my server. Any advice would be appreciated.

  • #2
    Re: login attacks - need advice

    Here's a load of questions for you:
    • Do you think the attacks are coming from the internal or external network?
    • Is this server servicing requests from the internet?
    • Is the server's software firewall turned on and logging connection information? If not, can you activate it and begin to collect information?
    • Is the server protected by a hardware firewall on the network and if so do you think that any of this malicious traffic would be crossing the firewall? (I.e. if the traffic is from the internet but crosses a DMZ or internal firewall to get to your server). If so, check those logs.
    • You could run WireShark on the server to see where incoming requests are coming from or go one step further and mirror the switch port that the server is connected to and pump the stream into some kind of traffic monitoring server (either WireShark as mentioned above or something like Snort).


    There may be logs specific to IIS that have this information, but since I'm unfamiliar with IIS I can't point you to them. I'm sure someone else on this forum can, however. If this is an important server I'd consider taking it down immediately while you investigate the source of the problem (I know that might not be possible). Make sure you thoroughly check the server for any kind of malware and rootkits. Maybe do an offline scan using a boot CD.

    Let us know what you find!
    Last edited by Nonapeptide; 8th August 2008, 03:42.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: login attacks - need advice

      Someone is trying to access your server through IIS. You can temporarily stop this by either disabling HTTP access to this server at your firewall or by stopping the IIS service on this server. Look in your WWW logs (hopefully you are logging this) and look for the offending logon attempt and ip address (again assuming you're logging this). Also take a look here for a handy logon type reference:

      http://www.windowsecurity.com/articles/Logon-Types.html

      Comment


      • #4
        Re: login attacks - need advice

        Hey, thanks for the responses. I'll try to answer the questions you raised as best I can. Just to explain, I'm not a systems administrator by any means, but I've been thrust into that position because of lack of personnel (I'm really just a php programmer)... so I apologize in advance for being ignorant on this stuff. We're running a very small operation here... hosting a few websites on one server for a department at the university I'm attending. This isn't high priority stuff really, but we've been getting complaints from the university network administrators about the traffic on our server (due to the attacks). It's also very possible that the server has been infected with something as well... though I've ran as many scans as I can find and haven't really found anything. As for the questions:

        • Do you think the attacks are coming from the internal or external network?

        I'm not sure, it could be either. My guess is that it's coming from an external source though.

        • Is this server servicing requests from the internet?

        Yes, we host a few websites that are accessible from the internet.

        • Is the server's software firewall turned on and logging connection information? If not, can you activate it and begin to collect information?

        I don't think there is any firewall turned on, which I know is not a good thing. I've been wanting to do that... but again I'm not familiar with any of that. I know I would need to find out what ports were needed and block all the rest... but I'm not sure how to find out that information. Also I've heard that I shouldn't use the windows firewall... but I'm pretty sure we're not going to buy one..... not alot of money around here....
        • Is the server protected by a hardware firewall on the network and if so do you think that any of this malicious traffic would be crossing the firewall? (I.e. if the traffic is from the internet but crosses a DMZ or internal firewall to get to your server). If so, check those logs.

        I really don't how this connection relates to the university network. I mean obviously our server has an address accessible from outside the network.. but I don't think there's any hardware firewall anywhere.
        • You could run WireShark on the server to see where incoming requests are coming from or go one step further and mirror the switch port that the server is connected to and pump the stream into some kind of traffic monitoring server (either WireShark as mentioned above or something like Snort).

        thanks for the tip. I'll look into wireshark and try and get more information when the attacks start again (they come and go... I haven't seen any for a couple days)

        Comment


        • #5
          Re: login attacks - need advice

          Do I understand you don't have a firewall in front of your webserver?
          Oh my....

          Also reporting the IP won't have much use most of the time. Often the attacking client is compromised.

          Ok... My recommendation;
          Check out if you have a firewall in front, if not temporally enable the Windows Firewall. Although this one isn't very good it's better then nothing.
          Next, start looking for a decent firewall, eg, ISA, Check Point or a PIX/ASA. There are some others but this are the ones I know they are good.
          If you don't have the money to buy a decent firewall then have a look at smoothwall. Nice firewall, free but IMO a bit slow

          When there is a firewall in place, start looking at your loggings and start monitoring the traffic from and to the webserver.
          Run a netstat -an to find out which ports are opened and watch for any strange ports or ports you didn't say its allowed, eg port 21 is listening but you didn't install an ftp server.
          Also start file auditing to see if anyone (un)succesfully opens/run a file.
          See if their are unusally login attempts.
          Last edited by Dumber; 8th August 2008, 21:53.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: login attacks - need advice

            Workstation Name: BXXXXXX
            Caller User Name: BXXXXXX$
            Caller Domain: AXXXXXX
            What do these tell you? are these ones internal or external?


            I would also enable IIS logging:

            http://support.microsoft.com/kb/313437

            This will allow you to see all requests sent to your IIS server. It will give you the IP address of the person sending the credentials which will then allow you to block their IP

            http://www.microsoft.com/technet/pro....mspx?mfr=true
            Technology is only as good as those who use it

            My tech blog - wiredtek.wordpress.com

            Comment

            Working...
            X