Security Incidents mailing list archives
Re: Strange Windows logon attempts
From: chris emer <chris () hostmysite com>
Date: 23 Sep 2003 17:36:22 -0000
In-Reply-To: <005301c37885$80b45030$0101010a () nmi net> I have noticed on one of our servers that there were many attempts to login as "webmaster" in a very short time period. I checked 3 other servers and found the same thing. The time range for the attempted login was between the 19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and they never got in. They showed up in the event log with a Event ID of 100 and a source SMTPSVC. I am keeping a close eye on this, any additional help or suggestions would be great. Chris
Received: (qmail 7172 invoked from network); 11 Sep 2003 17:07:36 -0000
Received: from outgoing2.securityfocus.com (205.206.231.26)
by mail.securityfocus.com with SMTP; 11 Sep 2003 17:07:36 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 5E79F8F2DE; Thu, 11 Sep 2003 05:11:53 -0600 (MDT)
Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidents () securityfocus com>
List-Help: <mailto:incidents-help () securityfocus com>
List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
Delivered-To: mailing list incidents () securityfocus com
Delivered-To: moderator for incidents () securityfocus com
Received: (qmail 743 invoked from network); 11 Sep 2003 10:54:50 -0000
From: "Chris Harrington" <cmh () nmi net>
To: <incidents () securityfocus com>
Subject: Strange Windows logon attempts
Date: Thu, 11 Sep 2003 12:55:27 -0400
Message-ID: <005301c37885$80b45030$0101010a () nmi net>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
micalg=SHA1;
boundary="----=_NextPart_000_004E_01C37863.F9688D60"
In-Reply-To: <20030910152212.32524.qmail () sf-www2-symnsj securityfocus com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
------=_NextPart_000_004E_01C37863.F9688D60
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
All,
A customer notified us that someone / something tried to log into one of
their servers repeatedly but failed. It appears to be some sort of
script since it tried 6 usernames with 23 passwords in under 2 minutes.
The event log is a typical 529 event ID. The logon type was 3 (network)
and the logon process was advapi. I generally see this when someone
tries to log in to IIS using cleartext authentication. There is no
evidence in the w3svc logs of these attempts. There were no successful
logins using that logon process.
This server is an Exchange server with port 25 accessible from the
Internet. I have verified this is the only port open by scan and
firewall rules.
1. Can anyone access the advapi (or any domain login process) over port
25 on an Exchange server? I did not think that SMTP AUTH could do that..
2. What other common programs use the advapi call for authentication?
The usernames that were tried are webmaster, admin, root, test, master,
web. Each one was tried in that order with 23 passwords, all failed.
3. Does anyone know what script / app / virus / worm that could be?
Any insights??
Thanks,
--Chris
------=_NextPart_000_004E_01C37863.F9688D60
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKGzCCAjww
ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYD
VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJs
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIea
BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg
1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHLm
lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6Z
SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX4
RTCCA2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQ
cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjIz
NTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29y
cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu
ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu5
SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOPM
xpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADBH
BgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20v
cmVwb3NpdG9yeS9SUEEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20v
cGNhMS5jcmwwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOB
gQACfZ5vRUs4oLje6VNkIbzkTCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveFT
cFKH56jYUulbLarh3s+sMVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzUT
cudAMZrTssSr51a+i+P7FTCCBHEwggPaoAMCAQICECbAvFdyqJEJOyDXl4cnIVcwDQYJKoZIhvcN
AQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29y
cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu
ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDMwNzA4MDAwMDAw
WhcNMDQwNzA3MjM1OTU5WjCCARUxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv
cnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJzb25hIE5v
dCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29mdCBGdWxs
IFNlcnZpY2UxHzAdBgNVBAMUFkNocmlzdG9waGVyIEhhcnJpbmd0b24xGjAYBgkqhkiG9w0BCQEW
C2NtaEBubWkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmEQ6mL9BFMEPqs7eKTY1b
6xeACtBjLliHOZ20copZKKYE9BLqU+JSEvUHJTEjNdB0W/qS2qoWBw7txNrO/vY08CwAMa4s/qoP
4ckhQmtPVRcbX3jO7163rME6YPmtwPXF8sdvcql+7eqnk1nbQcqD/CI9gZpgEnikdmnGmRaSeQID
AQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUW
DlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNl
IGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCow
KKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQAD
gYEAeeRzCKM9Sxz5HTdwD+Izn80NedtiPmpvZjxjFGGqRkQIl5rek3+2SxrT6N75bNXxNBEzc1mP
tHhHE6jfVx7cEjkhpWitj+GwPDbXjDr6ROeu5L2fb2fM1fJ/XY+nW/7mt12VN4UO4xrSn6CywiJU
ABUEnvoOHmh6tfUihmx+vx4xggQ+MIIEOgIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu
Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln
bi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNV
BAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90
IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzAJBgUrDgMCGgUAoIICsjAYBgkqhkiG9w0BCQMx
CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzA5MTExNjU1MjdaMCMGCSqGSIb3DQEJBDEW
BBRHOwyRKerRibv7cko60Roy69vMlTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMAcGBSsO
AwIaMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB
KDAKBggqhkiG9w0CBTCB8gYJKwYBBAGCNxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwg
SW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz
aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG
A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBO
b3QgVmFsaWRhdGVkAhAmwLxXcqiRCTsg15eHJyFXMIH0BgsqhkiG9w0BCRACCzGB5KCB4TCBzDEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsx
RjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYu
LExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBT
dWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzANBgkqhkiG
9w0BAQEFAASBgC0y5wnhIfSocNGRIofB/ZXVM5spyD5JAbo+2QzNFDoiX4eHxw2+YMfpZxhhnn2C
EUBhDEt1sFtiuG0A3h8lSGbAGsw3jRbpqj7NLt3StaEM2WQlwyyU3bUDoaeTkWOjrvsyYi66q0wQ
+H7S9hDS2c4f8t6oNSJJjVjoYg51/DB0AAAAAAAA
------=_NextPart_000_004E_01C37863.F9688D60--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange Windows logon attempts chris emer (Sep 23)
- <Possible follow-ups>
- RE: Strange Windows logon attempts David Harper (Sep 24)
- RE: Strange Windows logon attempts Clive Kingston (Sep 24)
- RE: Strange Windows logon attempts Bill Proffitt (Sep 24)