Announcement

Collapse
No announcement yet.

1000 of failure audits, I think I am being attacked!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 1000 of failure audits, I think I am being attacked!

    I checked the event log of an account I just took over to see 1000's of the failed in the event log dating back to 2007!! Shows that the previous admin payed attention. Anyways the screenshots below show you. The user name changes to all kinds of common names (in the picture "zack" & "administrator") you will see joe, sharon, bob, bill etc.... The administrator account has been re-named years ago, so we are safe on that.

    This is a Windows Server 2003 Standard w/ SP2 installed. It currently is running Exchange, DNS, DHCP, Fileshares, Backup Exec 12 remote agent

    Looks like IIS is being attacked. Any clues how to harden this? Maybe even on my firewall. I can't really see the source though so hard to really troubleshoot.






    Last edited by brcmadmin; 20th August 2008, 16:26. Reason: This is not an SBS server, I was just really tired when I wrote this up.
    Be easy on me, I'm here to learn

  • #2
    Re: 1000 of failure audits, I think I am being attacked!

    First of all, check your internal network. Some of your stations save old passwords and then it shows up in the audit log as security failures.
    On each workstation, go into Control Panel/ User accounts/Manage Passwords and delete any saved passwords there.
    If that doesn't improve the situation, check for any external stations/laptops that try to connect externally and have stored OLD passwords.

    HTH
    TIA

    Steven Teiger [SBS-MVP(2003-2009)]
    http://www.wintra.co.il/
    sigpic
    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

    We donít stop playing because we grow old, we grow old because we stop playing.

    Comment


    • #3
      Re: 1000 of failure audits, I think I am being attacked!

      1. Have a look here for an explanation of the various logon types: http://www.windowsecurity.com/articles/Logon-Types.html

      2. These attempts are coming in to IIS so this is someone trying to access your server from the internet. This is pretty common because the web service on your server is exposed to the internet. The Event ID 529 signifies a failed log on so you haven't been breached... yet. Look at the wwwsvc1 (wwwsvc2, etc.) logs on the server and you'll see the logon attempts and the ip address(es) they originated from. You can then block these ip addresses at your firewall or block them in IIS.

      3. Set up an event log monitor to monitor the event logs on your server that can send you an email alert based on certain events so that you'll know when this is happening in real time. You could also see if your firewall has any IDS capability or you could look at setting up an IDS system to detect this kind of activity.

      Comment


      • #4
        Re: 1000 of failure audits, I think I am being attacked!

        Originally posted by teiger View Post
        First of all, check your internal network. Some of your stations save old passwords and then it shows up in the audit log as security failures.
        On each workstation, go into Control Panel/ User accounts/Manage Passwords and delete any saved passwords there.
        If that doesn't improve the situation, check for any external stations/laptops that try to connect externally and have stored OLD passwords.

        HTH
        There are 1000's of different user names in the logs. Most have never been used in my environment. So I am thinking this is not an issue.
        Be easy on me, I'm here to learn

        Comment


        • #5
          Re: 1000 of failure audits, I think I am being attacked!

          Please read my post and follow the recommendations. You'll find what you're looking for.

          Comment


          • #6
            Re: 1000 of failure audits, I think I am being attacked!

            Yea I was going to give that a try and post the results, thanks again!
            Be easy on me, I'm here to learn

            Comment


            • #7
              Re: 1000 of failure audits, I think I am being attacked!

              Originally posted by joeqwerty View Post
              Please read my post and follow the recommendations. You'll find what you're looking for.
              So I only have two sites running on this DC, default site & Symantec Mail Security for Exchange.

              I look in the logs for default site and the latest entry is up to 2005 (logging was enabled)

              Under SMSFE I found tons of logs. So I found a particular day and did a search for one of the user names in the failed audits for that day and I don't see anything.
              Be easy on me, I'm here to learn

              Comment


              • #8
                Re: 1000 of failure audits, I think I am being attacked!

                Probably it's a script running against your IIS server.
                Although I know this is SBS, generally running IIS on a DC against the Internet is not a good idea.

                How did you setup your firewall?
                What kind of firewall do you have?
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: 1000 of failure audits, I think I am being attacked!

                  Originally posted by Dumber View Post
                  Probably it's a script running against your IIS server.
                  Although I know this is SBS, generally running IIS on a DC against the Internet is not a good idea.

                  How did you setup your firewall?
                  What kind of firewall do you have?

                  I posted in the wrong section, this is actually Windows Server Standard 2003.

                  Firewall was setup by someone else. I just took on the account so kind of auditing everything, obviously the previous guy wasn't paying attention if he didn't see these events dated back until early 2007

                  Sonicwall TZ190 standard OS
                  Be easy on me, I'm here to learn

                  Comment


                  • #10
                    Re: 1000 of failure audits, I think I am being attacked!

                    So since this isn't SBS, why are you running IIS on a DC which has been published (some way) on the outside?
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: 1000 of failure audits, I think I am being attacked!

                      Moving to the Windows Server forum (It's not SBS!)
                      TIA

                      Steven Teiger [SBS-MVP(2003-2009)]
                      http://www.wintra.co.il/
                      sigpic
                      Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                      We donít stop playing because we grow old, we grow old because we stop playing.

                      Comment


                      • #12
                        Re: 1000 of failure audits, I think I am being attacked!

                        Originally posted by teiger View Post
                        Moving to the Windows Server forum (It's not SBS!)

                        Thank you.

                        IIS is running for the Symantec Mail Security for Exchange
                        Be easy on me, I'm here to learn

                        Comment


                        • #13
                          Re: 1000 of failure audits, I think I am being attacked!

                          But why is it published to the internet then?
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: 1000 of failure audits, I think I am being attacked!

                            Originally posted by Dumber View Post
                            But why is it published to the internet then?
                            I take that back, it is not Symantec Mail Security. It is my default site in IIS that is on port 80 & 443. Looks to be my OWA. How would I log the source IP so I can block it?
                            Last edited by brcmadmin; 26th August 2008, 17:48.
                            Be easy on me, I'm here to learn

                            Comment


                            • #15
                              Re: 1000 of failure audits, I think I am being attacked!

                              Look at the IIS logging. However I still don't understand why you have your DC published to the internet.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X