Re: Hack signature in system log - some insights requested

From: H C (keydet89@yahoo.com)
Date: 07/24/01


Message-ID: <20010723232905.92445.qmail@web14605.mail.yahoo.com>
Date: Mon, 23 Jul 2001 16:29:05 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: Re: Hack signature in system log - some insights requested
To: Jonathan <jon_list@driftwood.net>, dovmar@starpower.net, FOCUS-MS@securityfocus.com

Jon,

What exactly to do you mean by 'security auditing'? I
think it might be helpful if you're a little more
specific. For example, I assume that you're refering
to auditing of both successful and failed logon
attempts. However, it would be prudent to point out
that there is no blanket 'security auditing' button,
particularly when you're dealing with discretionary
and system access controls.

Your general advice is good, though it won't make much
difference in the sense that this event seems to have
already occurred.

Carv

--- Jonathan <jon_list@driftwood.net> wrote:
> do you have auditing turned on? if you turn on
> security auditing you
> should be able to get some more meaningful info in
> the security log.
>
>
>
> At 12:53 AM 7/20/01 -0400, dovmar wrote:
> >Hi all,
> >
> >I have a bunch of entries like these in my system
> event file recorded over
> >the last couple of days. Some of them are in groups
> of several dozen, spaced
> >_exactly_ 5 minutes apart. ( I broke up the line
> for read-ability):
> >
> >"7/19/01 7:26:21 PM
> >W3SVC Warning
> >None
> >100
> >N/A
> >SERVERNAME HERE
> >The server was unable to logon the Windows NT
> account 'administrator' due to
> >the following error: Logon failure: unknown user
> name or bad password. The
> >data is the error code."
> >
> >I assume this is a brute force type of hack attack
> on the admin password,
> >but it occurs to me that it _might_ be some process
> that's trying to login
> >when we've recently changed the admin password?
> There are 2 of us that look
> >after servers, but I believe these started before
> our recent password
> >changes.
> >
> >I'd like to know if there's some log that's
> recording these attempts with an
> >originating IP address - a la the way IIS logs
> activity. Failing that, could
> >you suggest a log method to try to trap the source?
> >
> >Thanks
>
>

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/