Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with ID-529 Logon Failure Message

Status
Not open for further replies.
uptime

uptime

Technical User
Feb 12, 2002
37
0
0
US
I need help with what certainly appears to be a hacking attempt on a Windows 2003 SBS. The event viewer shows 750 failed logons over a period of approximately a minute and a half. All the User Names are different but other than that they are identical. Here's a copy of one of the event viewer security log entries:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/20/2006
Time: 12:49:13 PM
User: NT AUTHORITY\SYSTEM
Computer: SBSSERVERNAME
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: claudia
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SBSSERVERNAME
Caller User Name: SBSSERVERNAME$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2084
Transited Services: -
Source Network Address: -
Source Port: -

I have changed the server name and domain name for the obvious reasons. I am way over my head on this. Can anyone point me in the right direction? Does the logon process, the authentication package, the caller logon id or caller process id help to identify how or where they were attempting to get in? I can't find any log file entries that coincide with the time of the attack. Ideally I would like to identify the IP address of the originator. Any assistance would be greatly appreciated.
 
Sort by date Sort by votes
That kb does not apply. It was a one time occurrence (so far anyways thankfully), it all happened in a minute and a half, and it was 750 different user names. I'm pretty sure that points to an attack. Thanks for the suggestion. Any other thoughts?
 
Upvote 0 Downvote
Apparently the numerous usernames in a short period is normal for advapi when associated with an IIS web server, but I can't imagine why that would be (there are many references to this condition on the web).

I can't find anything on any of the security newsgroups or anti-virus sites that identify advapi associated with a trojan or virus. There was one reference to a bruteforce attack against an Exchange server that was hacked for SPAM purposes. Since there aren't other references to the same, it seems as if it was likely a one-time event, and the attacker went after the Administrator account, which makes much more sense since that is the only account that you can guarantee will be on the machine. Perhaps it was someone who is using your mail server as a relay and they were just testing userids in order to get valid ones for relaying.

Are you running IIS or Exchange on this machine?

If the IP address and Port fields were truly just "-" then that may indicate an authentication attempt from the local machine rather than a remote one.

Of course this could be a 0 day exploit.


pansophic
 
Upvote 0 Downvote
I saw very similar logs when we had brute force attacks on our Active Directory. There wasn't always a remote IP address, or any IP address for that matter. The computer names in the logs didn't match anything that we had in our AD. I know this because we have a naming scheme for our PC's.

I was able to track this down after I successfully ran null session attacks on our servers. However, 2k3 by default is not vulnerable to null session attacks. If backwards-compatibility is turned on in 2k3, it will become vulnerable. So if you have say Windows NT servers in your environment with 2k3, you may want to also check in to that. But that doesn't mean they aren't trying to brute force your ad. Do you have a Intrusion Detection System (IDS) on your network? What about Intrusion Prevention System (IPS)? Are the servers on a DMZ? Are they completely open (public network)? If you don't already have an IDS or IPS, I would at the very least consider looking at getting a sensor or two on to the network, if I were you. You can go Snort (my personal favorite, and is free for both Linux and Windows), or you can go the commercial route from various vendors such as Cisco. IPS's are very good, but they are also very expensive. However, if nothing else, a temporary IDS will help you identify what's going on (once it is properly configured of course), should it be on the network.

Something else to consider apart from a remote attack or IIS issues above is malware on your network.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
47
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
71
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top