Flood of 529 errors in security log

[laytoncy]

Today at 11:10am EST we received about 110 attacks from different user names like admin, ftp, mail, sales and so on. I've pasted the event id properties below. We do have port 25 and 443 open and I'm guessing it could be an attack on Remote Web Workplace. Any ideas on what this is and how I can stop these attacks? Any help is greatly appreciated. Thanks

Logon Failure:
Reason: Unknown user name or bad password
User Name: sales
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVERNAME
Caller User Name: SERVERNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2156
Transited Services: -
Source Network Address: -
Source Port: -

 

[ShackDaddy]

Those sound to me more like SMTP authentication attacks, but I'm a little confused since there is no Source Network Address listed. Hopefully that doesn't mean that there is already a compromised service on this server that the attacks are being generated from.

I think what I'd do if I were you is make extra sure that all users are using strong passwords. This attack seems to only be targeting the most common account names, so it's not a full brute-force attack and is very unlikely to succeed unless you have a "sales" account with a "password" or "sales" password.

What kind of firewall do you have?

Did you load the recent RDP patch on your server? There's a new notorious RDP exploit as of a few weeks ago that can take over a server via RDP with no authentication.

Dave Shackelford
ThirdTier.net
TrainSignal.com

 

[laytoncy]

Thank you for the reply. I thought it was weird as well since there was not IP listed. All users are using strong passwords and there is no sales account. All the accounts used in this attack were from accounts that don't exist on the server except for the Administrator account. There is a Cisco ASA 5505 used on site as a firewall. The server is up to date and the RDP patch was applied. I was having RDP attacks and found that when it was originally setup (not by me) port 3389 was used/open. I've since redirected that with PAT so those attacks have stopped. But this one I can't seem to stop.

 

[kurio71]

Failed network authentication attempt with no source network or port address. Backup and run a bootable malware scanner on the server.

Level 1 Support Technician

 

[laytoncy]

Do you recommend any bootable malware scanners? I ran malware bytes anti-malware although it's not for sbs 2003 it found nothing. I did run TDSSKiller and it found sbscrexe.exe which is for licensing and will reboot your server if it is not promoted to a DC. I found a thread on this forum that marked it as a rootkit. I don't see this as being a rootkit unless this process has been replaced by a rootkit.

 

[ShackDaddy]

I wouldn't consider this malware. It seems more like some service that has public exposure (IIS or SMTP) is having an exploit run against it that allows dictionary attacks. The fact that no network IP is listed does not mean that the server has been owned yet. One thing you can do is try to compare the process listed in the error with process list in TaskManager on the server. Unless you are seeing a very recent error, the process IDs may have changed, but it would point you to the exact process if it were recent.

See this thread:

http://blogs.msdn.com/b/puneetgupta...name-or-bad-password-inetinfo-exe-advapi.aspx

I would make sure that port 80 is not published anymore to the public (you really only need 443 for normal SBS functions and port 80 has more vulnerabilities) and make sure that the server if fully patched and that strong passwords have been set on all service accounts.

Dave Shackelford
ThirdTier.net
TrainSignal.com

 

[laytoncy]

Port 80 is not and as far as I'm aware never been published to the public. 443 and 25 are the only ones besides ports that are redirected for rdp. I have a recent error from today that is pointing to PID 2128 which is inetinfo.exe. This was this morning for 2 minutes all using user name of john then john@domainname.com. There was a user account with the name of john and the email address did exist. That user account and email address no longer exist.

The server is fully patched and strong passwords are set.

 

[laytoncy]

I have had 5 attacks today from %usernam% not %username%. The same PID 2128 which is inetinfo.exe. I tried accessing RWW and put in a user name and password, both that I knew were incorrect and it went to PID 8232 w3wp.exe. So, these attacks are not from someone attempting to logon via RWW. At least that is the way it looks.

 

[kurio71]

I was thinking rootkit that's why I suggested a bootable malware scanner but from ShackDaddy advice sounds like it's an external attack.

Level 1 Support Technician

 

[ShackDaddy]

Try authenticating a few different ways, like to OWA and ActiveSync and see which process reports the logon failure, and whether there is a source network address reported.

Dave Shackelford
ThirdTier.net
TrainSignal.com

 

[laytoncy]

I tried OWA and it does show the IP address and it shows PID 7896 and that is w3wp.exe as well. This is what I get from failed OWA login. Notice the logon type is 8 and what I'm experiencing now is 3.

Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: domainname
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: servername
Caller User Name: servername$
Caller Domain: domainname
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7896
Transited Services: -
Source Network Address: x.x.x.x
Source Port: 64644

I know it is not ActiveSync because I had a user that needed to turn in his phone and I had changed his password and all the while his phone was trying to retrieve emails it reported a failure and it did record an IP address.

 

[kurio71]

FYI
"This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password"

Level 1 Support Technician

 

[bjf2000]

laytoncy, here's something you can try to simulate it:

http://www.kongtechnology.com/2008/01/27/smtp-authentication-and-send-emails-using-telnet

For me, against SBS 2003, the requirements differed slightly. After connecting:

ehlo
auth login

Note that it's "ehlo" and not "helo." After entering random chars for the email and password, it came back and told me authentication failed. I then went to the event log and found exactly the type of event seen in one of these attacks.

I don't know what their goal is, but I'm guessing they're looking for a way to relay mail. Or can SMTP be leveraged to hack the whole box?

A couple related links I came across:

There may be some things to do here re NTLM, but I haven't tried them yet:

http://www.eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1

Test if you're an open relay (we're not):

http://www.mxtoolbox.com/diagnostic.aspx

 

[laytoncy]

Thank you and everyone else for all the help.
Well we're not an open relay either and I'll look at the post about NTLM.

I did try to Telnet to the server and could not establish a connections. I started telnet and used "open mail.domainname.com 25". I received "Could not open connection to the host, on port 25: Connection failed." I tried on port 443 as well and it tried for a while then said press any key to continue then when I hit enter it just says "Connection lost". I'm not seeing anything on my logs so it seems it is not getting past the Cisco ASA.

I'm looking for other things to try to find out what they're trying to use. The attacks are becoming very infrequent but are still happening. Had about 50 today in about 1 minute but that was the first time in about a week. I'm still trying to find out what is going on with the attacks.

 

[bjf2000]

The Cisco is setup to block telnet, I guess? But if you were able to do it, you'd see the same event that you posted, except for it having the gibberish username you would have typed into telnet. It even has whatever PID is tied to inetinfo.exe.

 

[laytoncy]

So, yeah I can't telnet to port 25 because my ISP blocks port 25. I have a remote machine I can connect to and use it to try and telnet into port 25. I was able to connect that way. But like you said the user name is gibberish. It appears that someone is trying to auth SMTP to maybe use the machine to send email. Not sure there is anything I can do about this one. Unless someone knows what to do about this type of attack. I need port 25 for mail. I guess I just need to keep strong passwords.

 

[laytoncy]

I used the base64 encoding tool and typed in admin and then encoded it. Pasted that code to the telnet session and voila I had a failed auth as "admin"...