RE: Hack signature in system log - some insights requested

From: Tulchinskiy, Sasha (STulchinskiy@aspensys.com)
Date: 07/23/01


Message-ID: <966D241E5D22D411A31900805F6FED6303CD8637@mailsvr1.aspensys.com>
From: "Tulchinskiy, Sasha" <STulchinskiy@aspensys.com>
To: "'dovmar@starpower.net'" <dovmar@starpower.net>, FOCUS-MS@securityfocus.com
Subject: RE: Hack signature in system log - some insights requested
Date: Mon, 23 Jul 2001 14:12:43 -0400

Why don't you try IIS logs? Enable "Client IP address" and "HTTP status" in
the IIS logging properties and watch for 401 - you'll get the attacking
source IP.

I don't believe that any application has a reason to use "administrator" via
HTTP.

Sasha.

-----Original Message-----
From: dovmar [mailto:dovmar@starpower.net]
Sent: Friday, July 20, 2001 12:54 AM
To: FOCUS-MS@securityfocus.com
Subject: Hack signature in system log - some insights requested

Hi all,

I have a bunch of entries like these in my system event file recorded over
the last couple of days. Some of them are in groups of several dozen, spaced
_exactly_ 5 minutes apart. ( I broke up the line for read-ability):

"7/19/01 7:26:21 PM
W3SVC Warning
None
100
N/A
SERVERNAME HERE
The server was unable to logon the Windows NT account 'administrator' due to
the following error: Logon failure: unknown user name or bad password. The
data is the error code."

I assume this is a brute force type of hack attack on the admin password,
but it occurs to me that it _might_ be some process that's trying to login
when we've recently changed the admin password? There are 2 of us that look
after servers, but I believe these started before our recent password
changes.

I'd like to know if there's some log that's recording these attempts with an
originating IP address - a la the way IIS logs activity. Failing that, could
you suggest a log method to try to trap the source?

Thanks