Security Incidents mailing list archives
RE: Strange Windows logon attempts
From: David Harper <david.harper () thermon com>
Date: Wed, 24 Sep 2003 07:22:13 -0500
FYI, we get these a lot as well, but we also see the same thing on our web server. There it attempts to log on via the FTP service. Same modus operandi, just a different service. I'd keep a close watch on any Internet facing servers to see if it's trying to hit any of them on a different service. -----Original Message----- From: chris emer [mailto:chris () hostmysite com] Sent: Tuesday, September 23, 2003 12:36 PM To: incidents () securityfocus com Subject: Re: Strange Windows logon attempts In-Reply-To: <005301c37885$80b45030$0101010a () nmi net> I have noticed on one of our servers that there were many attempts to login as "webmaster" in a very short time period. I checked 3 other servers and found the same thing. The time range for the attempted login was between the 19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and they never got in. They showed up in the event log with a Event ID of 100 and a source SMTPSVC. I am keeping a close eye on this, any additional help or suggestions would be great. Chris
Received: (qmail 7172 invoked from network); 11 Sep 2003 17:07:36 -0000
Received: from outgoing2.securityfocus.com (205.206.231.26)
by mail.securityfocus.com with SMTP; 11 Sep 2003 17:07:36 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 5E79F8F2DE; Thu, 11 Sep 2003 05:11:53 -0600 (MDT)
Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidents () securityfocus com>
List-Help: <mailto:incidents-help () securityfocus com>
List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
Delivered-To: mailing list incidents () securityfocus com
Delivered-To: moderator for incidents () securityfocus com
Received: (qmail 743 invoked from network); 11 Sep 2003 10:54:50 -0000
From: "Chris Harrington" <cmh () nmi net>
To: <incidents () securityfocus com>
Subject: Strange Windows logon attempts
Date: Thu, 11 Sep 2003 12:55:27 -0400
Message-ID: <005301c37885$80b45030$0101010a () nmi net>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
micalg=SHA1;
boundary="----=_NextPart_000_004E_01C37863.F9688D60"
In-Reply-To: <20030910152212.32524.qmail () sf-www2-symnsj securityfocus com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
------=_NextPart_000_004E_01C37863.F9688D60
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
All,
A customer notified us that someone / something tried to log into one of
their servers repeatedly but failed. It appears to be some sort of
script since it tried 6 usernames with 23 passwords in under 2 minutes.
The event log is a typical 529 event ID. The logon type was 3 (network)
and the logon process was advapi. I generally see this when someone
tries to log in to IIS using cleartext authentication. There is no
evidence in the w3svc logs of these attempts. There were no successful
logins using that logon process.
This server is an Exchange server with port 25 accessible from the
Internet. I have verified this is the only port open by scan and
firewall rules.
1. Can anyone access the advapi (or any domain login process) over port
25 on an Exchange server? I did not think that SMTP AUTH could do that..
2. What other common programs use the advapi call for authentication?
The usernames that were tried are webmaster, admin, root, test, master,
web. Each one was tried in that order with 23 passwords, all failed.
3. Does anyone know what script / app / virus / worm that could be?
Any insights??
Thanks,
--Chris
------=_NextPart_000_004E_01C37863.F9688D60
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKGzCCAjw
w
ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQY
D
VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ
0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzA
J
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJ
s
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQA
w
gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIe
a
BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMX
g
1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHL
m
lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6
Z
SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX
4
RTCCA2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1U
E
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyB
Q
cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjI
z
NTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnV
z
dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29
y
cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEl
u
ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQE
B
BQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu
5
SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOP
M
xpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADB
H
BgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20
v
cmVwb3NpdG9yeS9SUEEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20
v
cGNhMS5jcmwwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAO
B
gQACfZ5vRUs4oLje6VNkIbzkTCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveF
T
cFKH56jYUulbLarh3s+sMVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzU
T
cudAMZrTssSr51a+i+P7FTCCBHEwggPaoAMCAQICECbAvFdyqJEJOyDXl4cnIVcwDQYJKoZIhvc
N
AQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnV
z
dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29
y
cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEl
u
ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDMwNzA4MDAwMDA
w
WhcNMDQwNzA3MjM1OTU5WjCCARUxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZ
W
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXR
v
cnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJzb25hIE5
v
dCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29mdCBGdWx
s
IFNlcnZpY2UxHzAdBgNVBAMUFkNocmlzdG9waGVyIEhhcnJpbmd0b24xGjAYBgkqhkiG9w0BCQE
W
C2NtaEBubWkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmEQ6mL9BFMEPqs7eKTY1
b
6xeACtBjLliHOZ20copZKKYE9BLqU+JSEvUHJTEjNdB0W/qS2qoWBw7txNrO/vY08CwAMa4s/qo
P
4ckhQmtPVRcbX3jO7163rME6YPmtwPXF8sdvcql+7eqnk1nbQcqD/CI9gZpgEnikdmnGmRaSeQI
D
AQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjA
o
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBU
W
DlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmN
l
IGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCo
w
KKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQA
D
gYEAeeRzCKM9Sxz5HTdwD+Izn80NedtiPmpvZjxjFGGqRkQIl5rek3+2SxrT6N75bNXxNBEzc1m
P
tHhHE6jfVx7cEjkhpWitj+GwPDbXjDr6ROeu5L2fb2fM1fJ/XY+nW/7mt12VN4UO4xrSn6CywiJ
U
ABUEnvoOHmh6tfUihmx+vx4xggQ+MIIEOgIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEl
u
Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2l
n
bi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgN
V
BAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm9
0
IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzAJBgUrDgMCGgUAoIICsjAYBgkqhkiG9w0BCQM
x
CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzA5MTExNjU1MjdaMCMGCSqGSIb3DQEJBDE
W
BBRHOwyRKerRibv7cko60Roy69vMlTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMAcGBSs
O
AwIaMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgI
B
KDAKBggqhkiG9w0CBTCB8gYJKwYBBAGCNxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiw
g
SW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcml
z
aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEY
G
A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSB
O
b3QgVmFsaWRhdGVkAhAmwLxXcqiRCTsg15eHJyFXMIH0BgsqhkiG9w0BCRACCzGB5KCB4TCBzDE
X
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcms
x
RjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWY
u
LExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCB
T
dWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzANBgkqhki
G
9w0BAQEFAASBgC0y5wnhIfSocNGRIofB/ZXVM5spyD5JAbo+2QzNFDoiX4eHxw2+YMfpZxhhnn2
C
EUBhDEt1sFtiuG0A3h8lSGbAGsw3jRbpqj7NLt3StaEM2WQlwyyU3bUDoaeTkWOjrvsyYi66q0w
Q
+H7S9hDS2c4f8t6oNSJJjVjoYg51/DB0AAAAAAAA
------=_NextPart_000_004E_01C37863.F9688D60--
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange Windows logon attempts chris emer (Sep 23)
- <Possible follow-ups>
- RE: Strange Windows logon attempts David Harper (Sep 24)
- RE: Strange Windows logon attempts Clive Kingston (Sep 24)
- RE: Strange Windows logon attempts Bill Proffitt (Sep 24)