Re: Strange logon attempts to Win2k server

From: Birl (sbirl@temple.edu)
Date: Thu Sep 11 2003 - 16:29:15 EDT


As it was written on Sep 11, thus Chris Harrington typed:

Chris: Date: Thu, 11 Sep 2003 12:08:53 -0400
Chris: From: Chris Harrington <cmh@nmi.net>
Chris: To: pen-test@securityfocus.com
Chris: Subject: Strange logon attempts to Win2k server
Chris:
Chris: All,
Chris:
Chris: A customer notified us that someone / something tried to log into one of
Chris: their servers repeatedly but failed. It appears to be some sort of
Chris: script since it tried 6 usernames with 23 passwords in under 2 minutes.
Chris: The event log is a typical 529 event ID. The logon type was 3 (network)
Chris: and the logon process was advapi. I generally see this when someone
Chris: tries to log in to IIS using cleartext authentication. There is no
Chris: evidence in the w3svc logs of these attempts. There were no successful
Chris: logins using that logon process.
Chris:
Chris: This server is an Exchange server with port 25 accessible from the
Chris: Internet. I have verified this is the only port open by scan and
Chris: firewall rules.
Chris:
Chris: 1. Can anyone access the advapi (or any domain login process) over port
Chris: 25 on an Exchange server? I did not think that SMTP AUTH could do that..
Chris:
Chris: 2. What other common programs use the advapi call for authentication?
Chris:
Chris: The usernames that were tried are webmaster, admin, root, test, master,
Chris: web. Each one was tried in that order with 23 passwords, all failed.
Chris:
Chris: 3. Does anyone know what script / app / virus / worm that could be?
Chris:
Chris: Any insights??
Chris:
Chris: Thanks,
Chris:
Chris: --Chris

[snipping non-related reply to the Wireless LANs thread]

AFAIK, IIS is a separate logon process, different from User32, AdvAPI,
NTLMSSP, etc. I cannot say that I have ever seen IIS use AdvAPI for
authentication.

I know that RemotelyAnywhere uses AdvAPI for authentication

As for scripts/worms/etc, nothing comes to mind.

 Scott Birl http://concept.temple.edu/sysadmin/
 Senior Systems Administrator Computer Services Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT