Security Incidents mailing list archives
Re: Strange Windows logon attempts
From: chris emer <chris () hostmysite com>
Date: 23 Sep 2003 17:36:22 -0000
In-Reply-To: <005301c37885$80b45030$0101010a () nmi net> I have noticed on one of our servers that there were many attempts to login as "webmaster" in a very short time period. I checked 3 other servers and found the same thing. The time range for the attempted login was between the 19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and they never got in. They showed up in the event log with a Event ID of 100 and a source SMTPSVC. I am keeping a close eye on this, any additional help or suggestions would be great. Chris
Received: (qmail 7172 invoked from network); 11 Sep 2003 17:07:36 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 11 Sep 2003 17:07:36 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 5E79F8F2DE; Thu, 11 Sep 2003 05:11:53 -0600 (MDT) Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus com Received: (qmail 743 invoked from network); 11 Sep 2003 10:54:50 -0000 From: "Chris Harrington" <cmh () nmi net> To: <incidents () securityfocus com> Subject: Strange Windows logon attempts Date: Thu, 11 Sep 2003 12:55:27 -0400 Message-ID: <005301c37885$80b45030$0101010a () nmi net> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_004E_01C37863.F9688D60" In-Reply-To: <20030910152212.32524.qmail () sf-www2-symnsj securityfocus com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 ------=_NextPart_000_004E_01C37863.F9688D60 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit All, A customer notified us that someone / something tried to log into one of their servers repeatedly but failed. It appears to be some sort of script since it tried 6 usernames with 23 passwords in under 2 minutes. The event log is a typical 529 event ID. The logon type was 3 (network) and the logon process was advapi. I generally see this when someone tries to log in to IIS using cleartext authentication. There is no evidence in the w3svc logs of these attempts. There were no successful logins using that logon process. This server is an Exchange server with port 25 accessible from the Internet. I have verified this is the only port open by scan and firewall rules. 1. Can anyone access the advapi (or any domain login process) over port 25 on an Exchange server? I did not think that SMTP AUTH could do that.. 2. What other common programs use the advapi call for authentication? The usernames that were tried are webmaster, admin, root, test, master, web. Each one was tried in that order with 23 passwords, all failed. 3. Does anyone know what script / app / virus / worm that could be? Any insights?? Thanks, --Chris ------=_NextPart_000_004E_01C37863.F9688D60 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKGzCCAjww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX4 RTCCA2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQ cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjIz NTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29y cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu5 SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOPM xpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADBH BgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20v cmVwb3NpdG9yeS9SUEEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20v cGNhMS5jcmwwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOB gQACfZ5vRUs4oLje6VNkIbzkTCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveFT cFKH56jYUulbLarh3s+sMVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzUT cudAMZrTssSr51a+i+P7FTCCBHEwggPaoAMCAQICECbAvFdyqJEJOyDXl4cnIVcwDQYJKoZIhvcN AQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29y cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDMwNzA4MDAwMDAw WhcNMDQwNzA3MjM1OTU5WjCCARUxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv cnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJzb25hIE5v dCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29mdCBGdWxs IFNlcnZpY2UxHzAdBgNVBAMUFkNocmlzdG9waGVyIEhhcnJpbmd0b24xGjAYBgkqhkiG9w0BCQEW C2NtaEBubWkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmEQ6mL9BFMEPqs7eKTY1b 6xeACtBjLliHOZ20copZKKYE9BLqU+JSEvUHJTEjNdB0W/qS2qoWBw7txNrO/vY08CwAMa4s/qoP 4ckhQmtPVRcbX3jO7163rME6YPmtwPXF8sdvcql+7eqnk1nbQcqD/CI9gZpgEnikdmnGmRaSeQID AQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAo BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUW DlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNl IGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCow KKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQAD gYEAeeRzCKM9Sxz5HTdwD+Izn80NedtiPmpvZjxjFGGqRkQIl5rek3+2SxrT6N75bNXxNBEzc1mP tHhHE6jfVx7cEjkhpWitj+GwPDbXjDr6ROeu5L2fb2fM1fJ/XY+nW/7mt12VN4UO4xrSn6CywiJU ABUEnvoOHmh6tfUihmx+vx4xggQ+MIIEOgIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln bi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNV BAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90 IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzAJBgUrDgMCGgUAoIICsjAYBgkqhkiG9w0BCQMx CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzA5MTExNjU1MjdaMCMGCSqGSIb3DQEJBDEW BBRHOwyRKerRibv7cko60Roy69vMlTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMAcGBSsO AwIaMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB KDAKBggqhkiG9w0CBTCB8gYJKwYBBAGCNxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwg SW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBO b3QgVmFsaWRhdGVkAhAmwLxXcqiRCTsg15eHJyFXMIH0BgsqhkiG9w0BCRACCzGB5KCB4TCBzDEX MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsx RjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYu LExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBT dWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzANBgkqhkiG 9w0BAQEFAASBgC0y5wnhIfSocNGRIofB/ZXVM5spyD5JAbo+2QzNFDoiX4eHxw2+YMfpZxhhnn2C EUBhDEt1sFtiuG0A3h8lSGbAGsw3jRbpqj7NLt3StaEM2WQlwyyU3bUDoaeTkWOjrvsyYi66q0wQ +H7S9hDS2c4f8t6oNSJJjVjoYg51/DB0AAAAAAAA ------=_NextPart_000_004E_01C37863.F9688D60--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange Windows logon attempts chris emer (Sep 23)
- <Possible follow-ups>
- RE: Strange Windows logon attempts David Harper (Sep 24)
- RE: Strange Windows logon attempts Clive Kingston (Sep 24)
- RE: Strange Windows logon attempts Bill Proffitt (Sep 24)