| Author |
Capturing hack/login attempts
|
|
| tech_ed 2004-08-28, 2:48 am |
| Greets.
I manage a bunch of IIS servers and am seeing quite a bit of traffic
relating to attempts to gain access to my machines.
The information I see is in the event logs.
In the security logs, I see:
Source: Security
Category: Account Logon
Event ID: 681
The logon to account: pubah
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IIS0459A
failed. The error code was: 3221225572
Then the next log says:
Source: Security
Category: login/logoff
Event ID: 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: pubah
Domain: <the server's name>
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAG
E_V1_0
Workstation Name: <the same server name>
Then there is a corestponding log in the system log:
Source: w3scv
Category: None
Event ID: 100
The server was unable to logon the Windows NT account 'pubah' due to the
following error: Logon failure: unknown user name or bad password. The
data is the error code.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
I am getting these by the hundreds every 5 minutes.
It seems to be a dictionary attack.
What I would like to know if there is some kind of sniffer I can use to
capture these attacks and if so, what should I be capturing and what
trigger should I be monitoring?
Any advice would be appreciated.
Ed
web/gadget guru
| |
| Ken Schaefer 2004-08-29, 5:51 pm |
| You want something called an "IDS" (Intrusion Detection System). There are
lots of Open Source and commercial packages out there.
Snort is a popular Open Source product:
http://www.snort.org/
Cheers
Ken
"tech_ed" <tech_ed@yahoo.com> wrote in message
news:a04ff5d0114308535da6d0dfe0616cc9@lo
calhost.talkaboutsoftware.com...
> Greets.
> I manage a bunch of IIS servers and am seeing quite a bit of traffic
> relating to attempts to gain access to my machines.
> The information I see is in the event logs.
> In the security logs, I see:
> Source: Security
> Category: Account Logon
> Event ID: 681
> The logon to account: pubah
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: IIS0459A
> failed. The error code was: 3221225572
>
> Then the next log says:
> Source: Security
> Category: login/logoff
> Event ID: 529
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: pubah
> Domain: <the server's name>
> Logon Type: 2
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: <the same server name>
>
> Then there is a corestponding log in the system log:
> Source: w3scv
> Category: None
> Event ID: 100
> The server was unable to logon the Windows NT account 'pubah' due to the
> following error: Logon failure: unknown user name or bad password. The
> data is the error code.
> For additional information specific to this message please visit the
> Microsoft Online Support site located at:
> http://www.microsoft.com/contentredirect.asp.
>
> I am getting these by the hundreds every 5 minutes.
> It seems to be a dictionary attack.
> What I would like to know if there is some kind of sniffer I can use to
> capture these attacks and if so, what should I be capturing and what
> trigger should I be monitoring?
> Any advice would be appreciated.
> Ed
> web/gadget guru
>
| |
| Adam Murray 2004-09-02, 6:45 pm |
| You can also use etherreal to capture the packets that are coming in
so you can see what IP address they are coming from.
http://www.ethereal.com/
It's free and very easy to use.
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#lISeHijEHA.3944@tk2msftngp13.phx.gbl>...[vbcol=seagreen]
> You want something called an "IDS" (Intrusion Detection System). There are
> lots of Open Source and commercial packages out there.
>
> Snort is a popular Open Source product:
> http://www.snort.org/
>
> Cheers
> Ken
>
> "tech_ed" <tech_ed@yahoo.com> wrote in message
> news:a04ff5d0114308535da6d0dfe0616cc9@lo
calhost.talkaboutsoftware.com...
| |
|
| You can also set the account lockout threashold to 3 or 5 that way after
their 3rd or 5th attempt to login with the same username it will not
accept requests for x mins.
Adam Murray wrote:
[vbcol=seagreen]
> You can also use etherreal to capture the packets that are coming in
> so you can see what IP address they are coming from.
>
> http://www.ethereal.com/
>
> It's free and very easy to use.
>
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#lISeHijEHA.3944@tk2msftngp13.phx.gbl>...
>
--
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|