Re: failed logins from other domains

From: HC (keydet89@yahoo.com)
Date: 06/04/02 

From: HC <keydet89@yahoo.com>
Date: Tue, 04 Jun 2002 06:20:54 -0400

David,

> Recently in the security log of our win2k server I have noticed that
> there are failed machine logins from machines and users outside our
> windows domain.
>
> generally they look like this
[snip]

> I noticed that the domains all look like people we get mail from
> although I am still yet to confirm this.

It says that the "workstation" is MAILSERVER in the EventLog entry you
posted. It also says that the "user name" is "MAILSERVER$" which
indicates a machine account. Do you have a system on your network
called "MAILSERVER"?

> I have ports udp137, udp138, tcp139, tcp1433 and tcp445 blocked on the
> Firewall

Okay...are you seeing anything in the F/W logs? If not, then it's
probably coming from within your network.

> I have checked all the logs around the time that these events occur
> and found nothing strange. It is either web browsing, dns or mail.
> Activity on ports 3128 and 25, sometimes 53.

It really comes down to what you're logging, and what you consider
"strange". Many times, people don't see what's right under their noses.
  Take this activity on port 3128, for example...what is it? That's a
high port...what's generating the activity?

> I tried nessus scanner on the machine to see if there was any obvious
> problems and it found none.

Why would you do that? Nessus is a Linux-based vulnerability
scanner...it doesn't take too much for a trojan or even an errant
process to slip under the radar. What you should be doing is checking
the box itself out.

> The server is patched to the hilt.

Okay. But patches do not "make" security alone. There are quite a few
things that no patch protects from...ACLs and role-based user access,
auditing and monitoring, etc, are required.

> It is a sbs server so it is running the lot. I know this is foolhardy
> but at the time budget won over common sense.

Not sure what you mean by "foolhardy". When you say "running the lot",
are you saying that the SBS server is a web server and PDC as well?
Yeah, that's not a good idea, but it's often all some small shops can
afford.

> Will have dedicated FW
> machine in next week along with conversion to apache etc etc.

Dedicated F/W? Where is the F/W you mentioned above? Is that running
on the SBS server, too?

> My question is how are these appearing? What other ports should I be
> blocking?
> Seen this crap before?

To be honest, you really haven't done a whole lot to show what the
"crap" is. I'm not trying to flame or belittle you...not at all. I see
this all the time in the IR course I teach for NT/2K...folks just don't
know where to begin. Many times, NT admins read the lists and think
from what they see that the only way to get to learn about security is
to install Linux and run Nessus.

Here's what I suggest...these failed logins are coming from somewhere, right?

In order to even attempt the login, the three-stage TCP handshake needs
to be completed...so let's start there. Where is this "MAILSERVER"
machine, in relation to the system that you found the failed logins on?
  If this is not a system that's anywhere on your network, then it's a
strong possibility that your f/w isn't configured the way you think it is...

If you would like some assistance w/ this, just drop me a line...

Relevant Pages

  • Re: failed logins from other domains
    ... > Recently in the security log of our win2k server I have noticed that ... probably coming from within your network. ... are you saying that the SBS server is a web server and PDC as well? ... Here's what I suggest...these failed logins are coming from somewhere, ...
    (comp.security.misc)
  • Re: Compromised Server? Anyone recognize the suspect Services?
    ... I finally discovered that there was a whole folder structure under ... Event viewer shows normal logins, but I did not have it set to record ... there are a bunch of logins for Website Accounts created by the ... order to find those files on the Web Server I had to make sure that System ...
    (microsoft.public.windows.server.networking)
  • Re: Sql Server 2005 Dev. Ed. on Windows Server 2003
    ... Check out this KB which is about transferring Logins: http://support.microsoft.com/kb/246133 ... Also, since this is running on a newly installed Windows Server 2003, is ... them from your older SQL Server instance to the newer one. ...
    (microsoft.public.sqlserver.setup)
  • Re: Enabling STARTTLS in Exchange 2003 IMAP service?
    ... For the first, if you simply want to enable encrypted logins, then once you ... I guess I don't understand the need to have that command listed. ... > This section describes a means for "upgrading" an ordinary cleartext IMAP ... In order to use it, however, the server must advertise support for ...
    (microsoft.public.exchange2000.protocols)
  • Re: Enabling STARTTLS in Exchange 2003 IMAP service?
    ... For the first, if you simply want to enable encrypted logins, then once you ... I guess I don't understand the need to have that command listed. ... > This section describes a means for "upgrading" an ordinary cleartext IMAP ... In order to use it, however, the server must advertise support for ...
    (microsoft.public.exchange2000.admin)