re: Brute-force and IIS/w2k logs

From: Harlan Carvey (keydet89@yahoo.com)
Date: 04/03/03

  • Next message: Kevin Guidry: "Re: Authenticate systems before getting a DHCP IP?"
    From: Harlan Carvey <keydet89@yahoo.com>
    To: security-basics@securityfocus.com
    Date: Thu, 3 Apr 2003 06:01:26 -0800 (PST)
    
    
    

    This mail is probably spam. The original message has been attached
    along with this report, so you can recognize or block similar unwanted
    mail in future. See http://spamassassin.org/tag/ for more details.

    Content preview: > I've just reviewed a short range of security logs on
      a > W2k/IIS box and there is an over abundance of repeated > invalid
      login attempts. The attempts seem to focus on > weak user ids (ie;
      admin, administrator, root, sql, > etc.). However I've seen a few
      successful "anonymous" > login/logouts. [...]

    Content analysis details: (2.60 points, 2 required)
    FROM_ENDS_IN_NUMS (0.6 points) From: ends in numbers
    KNOWN_MAILING_LIST (-0.6 points) Email came from some known mailing list software
    FORGED_YAHOO_RCVD (2.6 points) 'From' yahoo.com does not match 'Received' headers

    
    

    attached mail follows:


    Date: Thu, 3 Apr 2003 06:01:26 -0800 (PST)
    From: Harlan Carvey <keydet89@yahoo.com>
    To: security-basics@securityfocus.com
    
    

    > I've just reviewed a short range of security logs on
    a
    > W2k/IIS box and there is an over abundance of
    repeated
    > invalid login attempts. The attempts seem to focus
    on
    > weak user ids (ie; admin, administrator, root, sql,
    > etc.). However I've seen a few successful
    "anonymous"
    > login/logouts.

    Depending on your architecture, it sounds as if this
    W2K box isn't behind any sort of firewall...or if it
    is, ports 139/445 may be let through. Either way,
    both are Very Bad Things(tm).

    If you're looking at the Security EventLog, then the
    IIS server is pretty irrelevant, unless you're using
    some sort of OWA or the IIS server is processing some
    kind of authentication.

    > My two questions are.. is the "anonymous" login
    > something to be concerned about and what's the best
    > way(s) to gather more relevant log data about the
    source
    > of the attacks beyond the scant information provided
    in
    > the Security log (machine name, time/date). Is
    there a
    > way to capture the IP address of the source?

    1. Again, depending on how the infrastructure is set
    up, these anonymous logins could be normal traffic, or
    they could be attempts at null session connects.
    Without more detailed information, a definitive answer
    isn't possible.

    2. Install snort. It's free, and you can set up
    rules to capture just stuff to the particular ports on
    the box. The W2K EventLog doesn't capture IP
    addresses by itself...but snort will go a long way
    toward helping you with this.

    HTH,

    Harlan

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Tax Center - File online, calculators, forms, and more
    http://tax.yahoo.com

    -------------------------------------------------------------------
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-security-basics

    
    

    -------------------------------------------------------------------
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-security-basics


  • Next message: Kevin Guidry: "Re: Authenticate systems before getting a DHCP IP?"