Strange Login Attempts at MS Servers

[dball63]

For the last few months I have had this strange problem at my place. Our security expert can't explain it either. Its bothering me so I was hoping maybe someone else may have some ideas.

Problem:
On a few of my machines I started logging login failures. Servers and my personal PC's to be exact. Thought it would be a good practice to get started.

I used to see nothing in these logs most of the time. Occasionally I would see one of my own typing blunders maybe.
Then for some reason over the last few months I see more and more failed attempts at each of these PC's by a few machines on our network. 3 PC's to be exact. These machines are in different offices and the security expert says that those machines belong to regular users, not hackers by any means.

The logs always say bad username or password
account: Administrator

I see that today alone there were over 25 failed attempts at the box I am writing this from!
It seems to be getting worse, more attempts from the same 3 machines that is.

I also see these same machines sending ICMP requests to my PC's with my firewall software.

Anybody have any idea what the hell this might be?
There is no reason that these machines should be anywhere near my network.
I just don't get it!

David Ball CNE, MCSE

 

[browolf]

a possibility:
there may be a scheduled task or process trying to run under administrator credentials or trying to authenticate through the firewall but the admin password has changed since they were set up. ===============
Security Forums

http://www.security-forums.com

 

[smah]

I would say that there's probably something going on with these remote machines that the user doesn't know about. A network aware worm maybe? Could those machines be running IIS and be infected with Code Red?

 

[dball63]

I don't think that there is a scheduled task running. We are totally seperate departments and as I said before, there is no reason for any machine outside of my dept to be needing any of my resources.

The latter may be a possiblity. I don't know too much about worms but the more I think about it. The more I feel the need to solve this once and for all. Our security guru hasn't done much since I informed him but maybe I should take it upon myself to figure it out!
I don't recall if these machines were running IIS but I could difintely find out Tuesday.

I may be able to gain physical access to one of these machines if I just ask the user, which I have not done yet. I'm not sure what or how to look for what I need though. Any ideas? Services, Scheduler......

David Ball CNE, MCSE

 

[indytshooter]

Have you checked out zombiemach's post in this section dated 2/8/03? (Win2000 administration rights)

 

[vesselescape]

David....

a couple questions..

1. Are outside pcs trying to log on to local machines as local admin? or as the Grand High Pooba (Root Admin for Network) ?

2. Are you still actually running the admin accounts (local and/or root) under the default name of Administrator?

3. What ports are being requested by the outside machines, and what ports on the outside machines are originating the request? Should show up in the firewall logs...Compare time of port request to time of log on failure.

4. Have you checked with D-Shield (

http://www.dshield.org)

to see if your public ip address is listed in their data base? If it is it is a pretty good sign that your system has been compromised somewhere.


A little explanation of the above questions.....

1. Approach to attack can help define what back door is attempting to be installed (if attack by worm) and therefor helps to define what worm is involved if any.

2. Changing the Administrator default name is a basic security move that should always be performed. ALWAYS!!!
Its not much of a defense except against basic script kiddie attacks, but why make anything easier than it has to be. If you know the administrator's user name you are already halfway there.(If admin account is still Administrator,you might want to recheck the credentials of your Security "expert&quot

3. Same as question 1

4. Dshield maintains data base of firewall logs submitted by thousands of members world wide. If same originating ip address shows up in large numbers of logs, it is either an intended attack, or the results of a compromised network being used to promulgate the worm that originally caused the compromise. If your public ip address shows up in the dbase, you a part of the problem....Albeit unknowingly.


Sounds like a good possibility of a worm trying to promulgate in your network. Tens of Thousands to choose from. The above info could help to narrow it down, and if you have physical access to one of the ouside pc a check is fairly simple.

Get back to me,
Regards,
David ONeill

 

[vesselescape]

Whuups... Sorry about that. The address for Dshield is

http://www.dshield.org

not .net



Only on the second cup of coffee

Regards,
David

 

[dball63]

indytshooter ,
I looked at zombiemach's post and I think that post requires that the attacker gain physical access. That can't happen here for sure.

vesselescape,
1. It appears that they are making attempts only at local admin accounts or with the accounts they use on there PC's. It looks as though some of them may login to their machines with the local admin account.

2. Names are default still. (I know.....go ahead yell at me)

3. Ports I still need to confirm

4.looked at DShield and while I checked my own NAT address and found nothing, I think we may use more than one adress publicly and others could be in the DShield database that I am not aware of but I would be very surprised to find that true.

David Ball CNE, MCSE

 

[fyrewyr]

The ICMP messages could simply be network resolution.

I've seen several reasons for inexplicable bad username / password entries in the event log of other machines. Here are some:

Domain membership. Local Administrator logins are sufficient to cause audit failures when the machine tries to access a resource (any resource, not just your particular server) on the domain. If I remember correctly, audit login is domain-wide; don't assume it's your server reporting the error.

Local Administrator having different password than domain administrator. When a local login, for any reason, wanders around on the network, it's going to present the LOCAL credentials to the domain. That gets audited if the passwords mismatch; and there isn't always a prompt. If they need local admin rigths, create a new local user for the person, add them to the local (not domain) administrators group, create a domain user with the same password, and (probably) change the local administrator password to match the domain password (assuming they don't know it). To prevent getting two user profiles, DON'T login until you have created the domain user account and decided what they log in to (local or domain - otherwise you'll get user.### folders). From then forward, they would always log in how you specify. Warning: You'll get a crash course in how to move someone's profile (Outlook, Favorites, Documents, Start Menu, etc).

Local persistent connections to network resources; even to hidden pipes + shares. Mapped Drives, Printers, ports, etc. Type NET USE at the station to see connections, and reset any that cross local/domain boundaries.

Printers (especially Hitachi DDS32/40) originally installed as Administrator. Trash and recreate as the user.

Services. People frequently forget to change the passwords on services that, instead of logging in as Local Machine, log on as a domain or a local user account. When the domain password is changed, or the service tries to authenticate on the domain, it sfreaks out.

(long shot) Machine account "out of sync". Be very careful with this one; you can disjoin and lose SIDs. Usually you will see messages in the event log that indicate MACHINENAME$ and some failure message. If it applies, read about resetting machine accounts before going here.

Next time these log entries appear, call the user. Note that event log times are frequently Greenwich time, skewed by the machine you view the event log on. If the problem is local Administrator, paired with one of the above suggestions, you'll see a lot of messages when they first turn on / log in.

Good luck.

 

[fyrewyr]

In addition to my previous post, also check COM impersonations.

Start | Run | MMC

In MMC,

Console | Add/Remove Snap-in...
Click [Add]
Select "Component Services"
Click [Add], [Close]
Click [Ok]

Wait for "My Computer" to appear.
Expand the tree. For each COM package listed, right click the package, choose "Properties", and select the "Identity" tab.

Just like the Services applet, check for impersonations other than Interactive User.

 

[dball63]

Just wanted to give an update to my post. I sure am glad that I posted here at tek-tips. While no one post told me what my problem was, it did give me the idea to keep at it. I got the chance to get access to both of these PC's finally. Turns out that these machines were infected with the W32.Sobig.A@mm virus.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html

Mcafee Virus scan never caught it for some reason even though def files were up to date. I have yet to call them on this.

Thanks for all your help on this. You may have helped save our network and data from who knows what damage. You also helped to make me the hero of the day. Go tek-tips!

David Ball CNE, MCSE

 

[vesselescape]

Thanks for the update David....

Another example of why one cannot just "fire and forget" on any network. Anti Virus programs are by definition, after the fact. No substitute for watching the actions of your own network, and following up on unusual traffic.

Good Job!