re: Brute-force and IIS/w2k logs

From: Harlan Carvey (keydet89@yahoo.com)
Date: 04/03/03

  • Next message: Kevin Guidry: "Re: Authenticate systems before getting a DHCP IP?"
    From: Harlan Carvey <keydet89@yahoo.com>
    To: security-basics@securityfocus.com
    Date: Thu, 3 Apr 2003 06:01:26 -0800 (PST)
    
    
    

    This mail is probably spam. The original message has been attached
    along with this report, so you can recognize or block similar unwanted
    mail in future. See http://spamassassin.org/tag/ for more details.

    Content preview: > I've just reviewed a short range of security logs on
      a > W2k/IIS box and there is an over abundance of repeated > invalid
      login attempts. The attempts seem to focus on > weak user ids (ie;
      admin, administrator, root, sql, > etc.). However I've seen a few
      successful "anonymous" > login/logouts. [...]

    Content analysis details: (2.60 points, 2 required)
    FROM_ENDS_IN_NUMS (0.6 points) From: ends in numbers
    KNOWN_MAILING_LIST (-0.6 points) Email came from some known mailing list software
    FORGED_YAHOO_RCVD (2.6 points) 'From' yahoo.com does not match 'Received' headers

    
    

    attached mail follows:


    Date: Thu, 3 Apr 2003 06:01:26 -0800 (PST)
    From: Harlan Carvey <keydet89@yahoo.com>
    To: security-basics@securityfocus.com
    
    

    > I've just reviewed a short range of security logs on
    a
    > W2k/IIS box and there is an over abundance of
    repeated
    > invalid login attempts. The attempts seem to focus
    on
    > weak user ids (ie; admin, administrator, root, sql,
    > etc.). However I've seen a few successful
    "anonymous"
    > login/logouts.

    Depending on your architecture, it sounds as if this
    W2K box isn't behind any sort of firewall...or if it
    is, ports 139/445 may be let through. Either way,
    both are Very Bad Things(tm).

    If you're looking at the Security EventLog, then the
    IIS server is pretty irrelevant, unless you're using
    some sort of OWA or the IIS server is processing some
    kind of authentication.

    > My two questions are.. is the "anonymous" login
    > something to be concerned about and what's the best
    > way(s) to gather more relevant log data about the
    source
    > of the attacks beyond the scant information provided
    in
    > the Security log (machine name, time/date). Is
    there a
    > way to capture the IP address of the source?

    1. Again, depending on how the infrastructure is set
    up, these anonymous logins could be normal traffic, or
    they could be attempts at null session connects.
    Without more detailed information, a definitive answer
    isn't possible.

    2. Install snort. It's free, and you can set up
    rules to capture just stuff to the particular ports on
    the box. The W2K EventLog doesn't capture IP
    addresses by itself...but snort will go a long way
    toward helping you with this.

    HTH,

    Harlan

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Tax Center - File online, calculators, forms, and more
    http://tax.yahoo.com

    -------------------------------------------------------------------
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-security-basics

    
    

    -------------------------------------------------------------------
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-security-basics


  • Next message: Kevin Guidry: "Re: Authenticate systems before getting a DHCP IP?"

    Relevant Pages

    • Re: Looking to find a custom photo ball marker
      ... You posted SPAM forphotoball markers yesterday, ... It was really a simple question, not meant to be advertising or ... We did sent up a login called PhotoBallMarker and I will use it ... Ken Barley ...
      (rec.sport.golf)
    • Re: Spammer authenticating then relaying
      ... First place I would look is the security logs, ... The server was NOT an open relay. ... > I believe that the spammer was able to authenticate, ...
      (microsoft.public.windows.server.sbs)
    • Re: Important -- My Facebook account
      ... If you use the same username/login info on other websites and on Facebook, and someone hacks into the user database on one of those other sites, they will then try those login credentials on major networking sites like Facebook. ... This is one reason you want to be careful about using the same password in too many places, especially any place with a lot of users (spam targets). ... The risks you run if you don't do this are high - your bank account could get cleared out, someone could hack into your email and spam everyone in your address book AND access your bank account and other accounts, etc. ...
      (rec.equestrian)
    • Re: Message to CK
      ... I've got a feeling he used to spam the NG wanting people to ... for online lessons. ... Then changed his login name to something ...
      (uk.music.guitar)
    • Re: IMF Probleme
      ... Login per Outlook -> SPAM wird clientseitig in Junk-E-Mail Ordner verschoben ... Sie hat den SCL Wert 8, ...
      (microsoft.public.de.exchange)