Re: Capturing hack/login attempts

From: Adam Murray (etown9799_at_yahoo.com)
Date: 08/30/04 

Date: 30 Aug 2004 10:13:53 -0700

You can also use etherreal to capture the packets that are coming in
so you can see what IP address they are coming from.

http://www.ethereal.com/

It's free and very easy to use.

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#lISeHijEHA.3944@tk2msftngp13.phx.gbl>...
> You want something called an "IDS" (Intrusion Detection System). There are
> lots of open source and commercial packages out there.
>
> Snort is a popular Open Source product:
> http://www.snort.org/
>
> Cheers
> Ken
>
> "tech_ed" <tech_ed@yahoo.com> wrote in message
> news:a04ff5d0114308535da6d0dfe0616cc9@localhost.talkaboutsoftware.com...
> > Greets.
> > I manage a bunch of IIS servers and am seeing quite a bit of traffic
> > relating to attempts to gain access to my machines.
> > The information I see is in the event logs.
> > In the security logs, I see:
> > Source: Security
> > Category: Account Logon
> > Event ID: 681
> > The logon to account: pubah
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: IIS0459A
> > failed. The error code was: 3221225572
> >
> > Then the next log says:
> > Source: Security
> > Category: login/logoff
> > Event ID: 529
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: pubah
> > Domain: <the server's name>
> > Logon Type: 2
> > Logon Process: IIS
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Workstation Name: <the same server name>
> >
> > Then there is a corestponding log in the system log:
> > Source: w3scv
> > Category: None
> > Event ID: 100
> > The server was unable to logon the Windows NT account 'pubah' due to the
> > following error: Logon failure: unknown user name or bad password. The
> > data is the error code.
> > For additional information specific to this message please visit the
> > Microsoft Online Support site located at:
> > http://www.microsoft.com/contentredirect.asp.
> >
> > I am getting these by the hundreds every 5 minutes.
> > It seems to be a dictionary attack.
> > What I would like to know if there is some kind of sniffer I can use to
> > capture these attacks and if so, what should I be capturing and what
> > trigger should I be monitoring?
> > Any advice would be appreciated.
> > Ed
> > web/gadget guru
> >

Relevant Pages

  • Re: Update: UDP 770 Potential Worm
    ... > were no packets indicating some form of replication. ... > my capture was limited due to the switched ... to see if the problem occurs on the test network, ... The proxy had already been isolated from the ...
    (Incidents)
  • Re: Continuous internet activity
    ... IP address out of the exercise (dest address for the packets). ... starts the capture. ... Wireshark is not running, and then it is "safe" to transmit ... There is a small probability of a networking problem, ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Auditing / Logging
    ... to explicitly set these values and capture the text output seperately. ... The key is that dumping anything to console or making tcpdump generate ... wants in order to capture full packets, save them to disk, and go ...
    (Pen-Test)
  • flooding an embedded device with isic and tcpreplay causing different results
    ... I'm trying to force a reload of an embedded SOHO router/NAT Gateway. ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ... listening on eth0, link-type EN10MB, capture size ...
    (Pen-Test)
  • [TOOL] RPCAP, Remote Packet Capture System
    ... RPCAP is a Remote Packet Capture system. ... and uplink the captured packets to another ... the server which captures network traffic on a remote system, ... and a client, which receives and processes these packets. ...
    (Securiteam)