Security Incidents mailing list archives

RE: Strange Windows logon attempts

From: David Harper <david.harper () thermon com>
Date: Wed, 24 Sep 2003 07:22:13 -0500

FYI, we get these a lot as well, but we also see the same thing on our web
server.  There it attempts to log on via the FTP service.  Same modus
operandi, just a different service.  I'd keep a close watch on any Internet
facing servers to see if it's trying to hit any of them on a different
service.

-----Original Message-----
From: chris emer [mailto:chris () hostmysite com]
Sent: Tuesday, September 23, 2003 12:36 PM
To: incidents () securityfocus com
Subject: Re: Strange Windows logon attempts

In-Reply-To: <005301c37885$80b45030$0101010a () nmi net>

I have noticed on one of our servers that there were many attempts to login
as "webmaster" in a very short time period. I checked 3 other servers and
found the same thing. The time range for the attempted login was between the
19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and
they never got in. They showed up in the event log with a Event ID of 100
and a source SMTPSVC.

I am keeping a close eye on this, any additional help or suggestions would
be great.

Chris

Received: (qmail 7172 invoked from network); 11 Sep 2003 17:07:36 -0000

Received: from outgoing2.securityfocus.com (205.206.231.26)

 by mail.securityfocus.com with SMTP; 11 Sep 2003 17:07:36 -0000

Received: from lists.securityfocus.com (lists.securityfocus.com

[205.206.231.19])

      by outgoing2.securityfocus.com (Postfix) with QMQP

      id 5E79F8F2DE; Thu, 11 Sep 2003 05:11:53 -0600 (MDT)

Mailing-List: contact incidents-help () securityfocus com; run by ezmlm

Precedence: bulk

List-Id: <incidents.list-id.securityfocus.com>

List-Post: <mailto:incidents () securityfocus com>

List-Help: <mailto:incidents-help () securityfocus com>

List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>

List-Subscribe: <mailto:incidents-subscribe () securityfocus com>

Delivered-To: mailing list incidents () securityfocus com

Delivered-To: moderator for incidents () securityfocus com

Received: (qmail 743 invoked from network); 11 Sep 2003 10:54:50 -0000

From: "Chris Harrington" <cmh () nmi net>

To: <incidents () securityfocus com>

Subject: Strange Windows logon attempts

Date: Thu, 11 Sep 2003 12:55:27 -0400

Message-ID: <005301c37885$80b45030$0101010a () nmi net>

MIME-Version: 1.0

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook, Build 10.0.2627

Content-Type: multipart/signed;

      protocol="application/x-pkcs7-signature";

      micalg=SHA1;

      boundary="----=_NextPart_000_004E_01C37863.F9688D60"

In-Reply-To: <20030910152212.32524.qmail () sf-www2-symnsj securityfocus com>

Importance: Normal

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

------=_NextPart_000_004E_01C37863.F9688D60

Content-Type: text/plain;

      charset="US-ASCII"

Content-Transfer-Encoding: 7bit

All,

A customer notified us that someone / something tried to log into one of

their servers repeatedly but failed. It appears to be some sort of

script since it tried 6 usernames with 23 passwords in under 2 minutes.

The event log is a typical 529 event ID. The logon type was 3 (network)

and the logon process was advapi. I generally see this when someone

tries to log in to IIS using cleartext authentication. There is no

evidence in the w3svc logs of these attempts. There were no successful

logins using that logon process.

This server is an Exchange server with port 25 accessible from the

Internet. I have verified this is the only port open by scan and

firewall rules.

1. Can anyone access the advapi (or any domain login process) over port

25 on an Exchange server? I did not think that SMTP AUTH could do that..

2. What other common programs use the advapi call for authentication?

The usernames that were tried are webmaster, admin, root, test, master,

web. Each one was tried in that order with 23 passwords, all failed.

3. Does anyone know what script / app / virus / worm that could be?

Any insights??

Thanks,

--Chris

------=_NextPart_000_004E_01C37863.F9688D60

Content-Type: application/x-pkcs7-signature;

      name="smime.p7s"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

      filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKGzCCAjw

ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQY

VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ

aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzA

BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJ

aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQA

gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIe

BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMX

1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHL

lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6

SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX

RTCCA2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1U

BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyB

cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjI

NTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnV

dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29

cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEl

ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQE

BQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu

SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOP

xpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADB

BgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20

cmVwb3NpdG9yeS9SUEEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20

cGNhMS5jcmwwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAO

gQACfZ5vRUs4oLje6VNkIbzkTCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveF

cFKH56jYUulbLarh3s+sMVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzU

cudAMZrTssSr51a+i+P7FTCCBHEwggPaoAMCAQICECbAvFdyqJEJOyDXl4cnIVcwDQYJKoZIhvc

AQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnV

dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29

cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEl

ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDMwNzA4MDAwMDA

WhcNMDQwNzA3MjM1OTU5WjCCARUxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZ

ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXR

cnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJzb25hIE5

dCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29mdCBGdWx

IFNlcnZpY2UxHzAdBgNVBAMUFkNocmlzdG9waGVyIEhhcnJpbmd0b24xGjAYBgkqhkiG9w0BCQE

C2NtaEBubWkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmEQ6mL9BFMEPqs7eKTY1

6xeACtBjLliHOZ20copZKKYE9BLqU+JSEvUHJTEjNdB0W/qS2qoWBw7txNrO/vY08CwAMa4s/qo

4ckhQmtPVRcbX3jO7163rME6YPmtwPXF8sdvcql+7eqnk1nbQcqD/CI9gZpgEnikdmnGmRaSeQI

AQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjA

BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBU

DlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmN

IGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCo

KKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQA

gYEAeeRzCKM9Sxz5HTdwD+Izn80NedtiPmpvZjxjFGGqRkQIl5rek3+2SxrT6N75bNXxNBEzc1m

tHhHE6jfVx7cEjkhpWitj+GwPDbXjDr6ROeu5L2fb2fM1fJ/XY+nW/7mt12VN4UO4xrSn6CywiJ

ABUEnvoOHmh6tfUihmx+vx4xggQ+MIIEOgIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEl

Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2l

bi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgN

BAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm9

IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzAJBgUrDgMCGgUAoIICsjAYBgkqhkiG9w0BCQM

CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzA5MTExNjU1MjdaMCMGCSqGSIb3DQEJBDE

BBRHOwyRKerRibv7cko60Roy69vMlTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMAcGBSs

AwIaMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgI

KDAKBggqhkiG9w0CBTCB8gYJKwYBBAGCNxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiw

SW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcml

aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEY

A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSB

b3QgVmFsaWRhdGVkAhAmwLxXcqiRCTsg15eHJyFXMIH0BgsqhkiG9w0BCRACCzGB5KCB4TCBzDE

MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcms

RjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWY

LExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCB

dWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzANBgkqhki

9w0BAQEFAASBgC0y5wnhIfSocNGRIofB/ZXVM5spyD5JAbo+2QzNFDoiX4eHxw2+YMfpZxhhnn2

EUBhDEt1sFtiuG0A3h8lSGbAGsw3jRbpqj7NLt3StaEM2WQlwyyU3bUDoaeTkWOjrvsyYi66q0w

+H7S9hDS2c4f8t6oNSJJjVjoYg51/DB0AAAAAAAA

------=_NextPart_000_004E_01C37863.F9688D60--



---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Strange Windows logon attempts chris emer (Sep 23)
- <Possible follow-ups>
- RE: Strange Windows logon attempts David Harper (Sep 24)
- RE: Strange Windows logon attempts Clive Kingston (Sep 24)
- RE: Strange Windows logon attempts Bill Proffitt (Sep 24)