Re: Trace of 139 attack?

From: Windex King (WindexKing@mor-lan-d.com)
Date: 07/25/01 

Message-ID: <3B5E5E0D.9C58E8C7@mor-lan-d.com>
Date: Wed, 25 Jul 2001 01:50:05 -0400
From: Windex King <WindexKing@mor-lan-d.com>
To: focus-ms@securityfocus.com
Subject: Re: Trace of 139 attack?

the_eagle@flashmail.com wrote:
> Is there any way through reading logs etc, it might be possible to trace his
> IP back? If yes, then which logs, and what entries in those logs would show
> up his IP?

To make sure people remember the context in which we are speaking, we're talking
about info contained within NT Event logs here. Now the answer to this question
AFAIK is no. There isn't any IP info included in logon failures or successes
in the NT Security Event log.

I seem to recall someone (Marc of eEye?) mentioning that they had asked
Microsoft to include an IP address field in the Security Event log and
MS responded that they were thinking about including DNS names ??

> Also prior to getting the right password, he must have gone through a number
> of failed attempts. Do the logs of these give an idea of his IP?

As I mentioned above, no. To make the situation even more confusing, the
workstation name that is logged in the NT Security Event log can also be
"spoofed".

If the attacker was using smbclient on *BSD (or some other *NIX) then
he could quite easily specify the -n flag and make up the "source"
netbios name.

Actually, smbclient has been ported under cygwin to NT and seems to work
fine. Many Thanks to greg@hoobie.net for doing that. I have been wanting
that functionality on my NT boxes for a while.

> If in the future to catch such an attack there are any config changes to be
> made, then what would those be?

I have been mucking with having my HIDS execute a simple script once
certain "suspicious" events have occurred. The script basically does:

C:\I AM Canadian>netstat -an | findstr /r "^[^:]*:139[^0-9][^:]*:.*"
  TCP 10.10.10.10:139 0.0.0.0:0 LISTENING

That way you get a list of all the machines that are connected to TCP
139 on your box (this needs to be run while the attacker is connected
obviously). This isn't a very elegant solution but I've been at a loss
of what else to do (other than installing FW or NIDS software).

You might actually want to consider some NIDS or Firewall product so
you can log all TCP 139 SYN packets. Other than that, I'm not sure
what to do.

Of course, those options only help for the next time this may occur. As
far as tracing the IP address for the attacker who was already in your
machine, I think you're out of luck.

W K