Re: Strange logon attempts to Win2k server
From: Birl (sbirl_at_temple.edu)
Date: 09/11/03
- Previous message: symbiot: "RE: Cracking a Netscreen password"
- In reply to: Chris Harrington: "Strange logon attempts to Win2k server"
- Next in thread: Sean: "RE: Strange logon attempts to Win2k server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Sep 2003 16:29:15 -0400 (EDT) To: pen-test@securityfocus.com
As it was written on Sep 11, thus Chris Harrington typed:
Chris: Date: Thu, 11 Sep 2003 12:08:53 -0400
Chris: From: Chris Harrington <cmh@nmi.net>
Chris: To: pen-test@securityfocus.com
Chris: Subject: Strange logon attempts to Win2k server
Chris:
Chris: All,
Chris:
Chris: A customer notified us that someone / something tried to log into one of
Chris: their servers repeatedly but failed. It appears to be some sort of
Chris: script since it tried 6 usernames with 23 passwords in under 2 minutes.
Chris: The event log is a typical 529 event ID. The logon type was 3 (network)
Chris: and the logon process was advapi. I generally see this when someone
Chris: tries to log in to IIS using cleartext authentication. There is no
Chris: evidence in the w3svc logs of these attempts. There were no successful
Chris: logins using that logon process.
Chris:
Chris: This server is an Exchange server with port 25 accessible from the
Chris: Internet. I have verified this is the only port open by scan and
Chris: firewall rules.
Chris:
Chris: 1. Can anyone access the advapi (or any domain login process) over port
Chris: 25 on an Exchange server? I did not think that SMTP AUTH could do that..
Chris:
Chris: 2. What other common programs use the advapi call for authentication?
Chris:
Chris: The usernames that were tried are webmaster, admin, root, test, master,
Chris: web. Each one was tried in that order with 23 passwords, all failed.
Chris:
Chris: 3. Does anyone know what script / app / virus / worm that could be?
Chris:
Chris: Any insights??
Chris:
Chris: Thanks,
Chris:
Chris: --Chris
[snipping non-related reply to the Wireless LANs thread]
AFAIK, IIS is a separate logon process, different from User32, AdvAPI,
NTLMSSP, etc. I cannot say that I have ever seen IIS use AdvAPI for
authentication.
I know that RemotelyAnywhere uses AdvAPI for authentication
As for scripts/worms/etc, nothing comes to mind.
Scott Birl http://concept.temple.edu/sysadmin/
Senior Systems Administrator Computer Services Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
- Previous message: symbiot: "RE: Cracking a Netscreen password"
- In reply to: Chris Harrington: "Strange logon attempts to Win2k server"
- Next in thread: Sean: "RE: Strange logon attempts to Win2k server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
