Greets.
I manage a bunch of IIS servers and am seeing quite a bit of traffic
relating to attempts to gain access to my machines.
The information I see is in the event logs.
In the security logs, I see:
Source: Security
Category: Account Logon
Event ID: 681
The logon to account: pubah
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IIS0459A
failed. The error code was: 3221225572

Then the next log says:
Source: Security
Category: login/logoff
Event ID: 529
Logon Failure:
Reason:		Unknown user name or bad password
User Name:	pubah
Domain:		<the server's name>
Logon Type:	2
Logon Process:	IIS
Authentication  Package:	MICROSOFT_AUTHENTICATION_PACKAG
E_V1_0
Workstation Name:	<the same server name>

Then there is a corestponding log in the system log:
Source: w3scv
Category: None
Event ID: 100
The server was unable to logon the Windows NT account 'pubah' due to the
following error: Logon failure: unknown user name or bad password.  The
data is the error code.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.

I am getting these by the hundreds every 5 minutes.
It seems to be a dictionary attack.
What I would like to know if there is some kind of sniffer I can use to
capture these attacks and if so, what should I be capturing and what
trigger should I be monitoring?
Any advice would be appreciated.
Ed
web/gadget guru

[ Post a follow-up to this message ]

You want something called an "IDS" (Intrusion Detection System). There are
lots of Open Source and commercial packages out there.

Snort is a popular Open Source product:
http://www.snort.org/

Cheers
Ken

"tech_ed" <tech_ed@yahoo.com> wrote in message
 news:a04ff5d0114308535da6d0dfe0616cc9@lo
calhost.talkaboutsoftware.com...
> Greets.
> I manage a bunch of IIS servers and am seeing quite a bit of traffic
> relating to attempts to gain access to my machines.
> The information I see is in the event logs.
> In the security logs, I see:
> Source: Security
> Category: Account Logon
> Event ID: 681
> The logon to account: pubah
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: IIS0459A
> failed. The error code was: 3221225572
>
> Then the next log says:
> Source: Security
> Category: login/logoff
> Event ID: 529
> Logon Failure:
>  Reason: Unknown user name or bad password
>  User Name: pubah
>  Domain: <the server's name>
>  Logon Type: 2
>  Logon Process: IIS
>  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>  Workstation Name: <the same server name>
>
> Then there is a corestponding log in the system log:
> Source: w3scv
> Category: None
> Event ID: 100
> The server was unable to logon the Windows NT account 'pubah' due to the
> following error: Logon failure: unknown user name or bad password.  The
> data is the error code.
> For additional information specific to this message please visit the
> Microsoft Online Support site located at:
> http://www.microsoft.com/contentredirect.asp.
>
> I am getting these by the hundreds every 5 minutes.
> It seems to be a dictionary attack.
> What I would like to know if there is some kind of sniffer I can use to
> capture these attacks and if so, what should I be capturing and what
> trigger should I be monitoring?
> Any advice would be appreciated.
> Ed
> web/gadget guru
>

[ Post a follow-up to this message ]

You can also use etherreal to capture the packets that are coming in
so you can see what IP address they are coming from.

http://www.ethereal.com/

It's free and very easy to use.



"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#lISeHijEHA.3944@tk2m
sftngp13.phx.gbl>...[vbcol=seagreen]
> You want something called an "IDS" (Intrusion Detection System). There are
> lots of Open Source and commercial packages out there.
>
> Snort is a popular Open Source product:
> http://www.snort.org/
>
> Cheers
> Ken
>
> "tech_ed" <tech_ed@yahoo.com> wrote in message
>  news:a04ff5d0114308535da6d0dfe0616cc9@lo
calhost.talkaboutsoftware.com... 

[ Post a follow-up to this message ]

You can also set the account lockout threashold to 3 or 5 that way after
their 3rd or 5th attempt to login with the same username it will not
accept requests for x mins.

Adam Murray wrote:
[vbcol=seagreen]
> You can also use etherreal to capture the packets that are coming in
> so you can see what IP address they are coming from.
>
> http://www.ethereal.com/
>
> It's free and very easy to use.
>
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#lI
SeHijEHA.3944@tk2msftngp13.phx.gbl>...
> 

--
This posting is provided "AS IS" with no warranties, and confers no rights.

[ Post a follow-up to this message ]