Windows Server - Hack Attempt - Remote Web Workplace?

Asked By frank on 24-Nov-07 04:13 PM
I have a SBS 2003 R2 implementation that has the following services
exposed to the internet:
* Outlook Web Access,
* Remote Web Workplace,
* SMTP

Over the past two months I have seen the following event logs
appearing in the Security event log:
Logon Failure:
Reason:		Unknown user name or bad password
User Name:	webmaster
Domain:
Logon Type:	3
Logon Process:	Advapi
Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:	<server name>
Caller User Name:	<server name>$
Caller Domain:	<server domain name>
Caller Logon ID:	(0x0,0x3E7)
Caller Process ID:	1880
Transited Services:	-
Source Network Address:	-
Source Port:	-

I have noticed that the user can also be root, administrator as well.

My suspicion is that someone is trying to hack into the Outlook Web
Access or Remote Web Workplace applications by some kind of automated
mean (script etc).  I would like to block the IP addresses of these
users at the firewall although there are no corresponding logs for
these security failures in the IIS log for these web applications.

How would I go about obtaining the IP addresses of these hackers?  Is
there a more verbose mode of logging I can set within IIS?




jimlawrnc replied on 24-Nov-07 04:13 PM
What type of router do you have?
is loggin enabled on the router?  if so you can get the IP from there
Joe replied on 22-Nov-07 02:33 PM
Agreed, the router is the best place to log incoming connections, but
most routers don't have much spare RAM and will only store a few dozen
connections at a time. You really need a syslog server running on the
network to store the router's logs until you have no further use for them.

But you're wasting your time, you're not talking about half a dozen
rogue IP addresses. The attacker, if one exists, will certainly not be
using his own computer to open the connection, and he's unlikely to have
just one or even a few at his disposal. You're also leaving yourself
open to denial of service attacks, when the current attacker realises
what you're doing and starts spoofing his source IP addresses as those
of major ISPs. Even more likely is that there isn't actually an
attacker, that you're seeing automated scanning software, which may well
be running on tens or hundreds of thousands of hijacked computers. The
most powerful distributed computing system on the planet is now claimed
to be one particular botnet.

You have absolutely no alternative, under any circumstances, to using
extremely good passwords on those accounts which can gain access
externally, and if you do then password guessing will not be a problem.
v-robel replied on 23-Nov-07 06:23 AM
Hi Frank,

Thanks for posting in our newsgroup.

Please let me know the following to make the situation more clearly:

You said "I have noticed that the user can also be root, administrator as
well." Do you mean that the user names in the events are root or
administrator?

Based on my research, this event can be caused by hacker, virus or services
on the SBS server. please take the following steps to see if the problem
can be resolved.

Step 1: Please make a clean boot to make sure the problem is not caused
third party software:

1. Click Start->Run...->type msconfig and press Enter.
2. Click Services tab and select Hide All Microsoft Services and Disable
All third party Services.
3. Click Startup tab and Disable All startup items.
4. Click OK and choose Restart.
5. After reboot, check whether the problem still occurs.
6. If there are no more problems, please use the above steps to enable
services and startup items one by one in order to figure out the root cause
of this issue.

Step 2: The issue may be caused by virus, please scan the system by Anti
Virus software with latest signature and test again.

Step 3: The issue occurs on the domain controller when the audit policy is
turned on for logon failures. To fix this, please install the following
hotfix:

Security Event 529 is logged for local user accounts
http://support.microsoft.com/?id=811082

You can submit a request to Microsoft Online Customer Services to obtain
the hotfix. To submit an online request to obtain the hotfix, visit the
following Microsoft Web site:
http://go.microsoft.com/?linkid=6294451
(http://go.microsoft.com/?linkid=6294451)

In addition, please implement Strong password policies in your network. To
do this:

Open ''Server Management console'', navigate to Users snap-in. In the right
panel, click ''Configure Password Policies''. Enable the password policies.
1. Password must meet minimum length requirements.
2. Password must meet complexity requirements.
3. Password must be changed regularly.
4. Configure password policies: Immediately.

If you enable Strong Password Policy, you will still see the security
events,  but it's difficult for hacks to access the network.

More info:

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
8501-b4f680280f71&displaylang=en

During the user authentication process, the system sends user credential in
a package, but this package contains only user credential, no source IP
included. So when the authentication fails, event  is created but there is
not source IP. This is expected behavior. So first we need to find out
which causes such event.

If the problem persists, please help me collect the following information
for deep research:

1. What important change did you make before the issue first occurred?

2. MPS Report

1) Download MPS report tool from:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_SETUPPerf.EXE
2)  Run the MPSRPT_SETUPPerf.exe on the server box.
3) Wait for 10~15 minutes.
4)  Open Windows explorer, navigate to
%SYSTEMROOT%\MPSReports\Setup\Reports\cab\
5) Send the .cab file to  v-robeli@microsoft.com with subject:
41016572-Hack Attempt - Remote Web Workplace.

I am looking forward  to hear from you.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
13:26:06 GMT)
rv:1.8.1.9)
0.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!d4g2000prg.
googlegroups.com!not-for-mail
Leythos replied on 23-Nov-07 07:51 AM
In article <9b178062-990a-4067-a7b8-e71a1658a164
@d4g2000prg.googlegroups.com>, frank@turcic.net says...

As long as you have services exposed to the internet there will always
be people trying to get into them, it's just how life is.

Your only solution is to get a real firewall and block IP ranges that
you don't want to allow into your system. You also need to ensure that
you've not mistakenly opened PORT 80 (TCP) for web access.

I'm in the USA, this list of block sites is one a customer uses that has
a couple dealings with a place outside the USA, but for the most part,
it blocks all Foreign Country Access where the country has tried to
access their networks - No, I don't have an explanation for each IP or
IP Range, you can IPWHOIS on google for the country the ranges block,
but, this list does cut down on a LOT of traffic from hack countries:

This is a permanent/total block list, no IN/OUT to those ranges.

12.144.182.0/24
12.45.203.0/24
12.98.139.0/24
124.0.0.0/8
125.172.237.0/24
125.213.42.0/24
134.159.0.0/16
134.160.0.0/16
140.109.0.0/16
140.110.0.0/15
140.112.0.0/12
140.128.0.0/13
140.136.0.0/15
140.138.0.0/16
155.48.106.0/24
162.40.0.0/16
168.126.0.0/16
172.184.111.203
193.248.60.0/24
193.251.0.0/16
193.252.0.0/16
193.253.0.0/16
194.170.0.0/16
195.174.0.0/16
195.175.16.0/20
195.229.0.0/23
195.58.124.0/24
200.181.0.0/16
200.244.0.0/16
200.30.203.0/24
201.0.0.0/8
201.130.192.0/18
201.230.0.0/16
201.240.0.0/16
202.40.148.0-202.40.149.255
202.84.128.0-202.84.255.255
202.88.186.0/24
203.150.101.0/24
203.152.22.0/24
203.162.0.0-203.162.255.255
203.210.128.0-203.210.255.255
205.251.79.0/24
210.0.0.0/8
211.0.0.0/8
212.150.124.0/24
212.162.8.0/24
212.18.57.0/24
212.202.178.0/24
212.27.32.0-212.27.63.255
212.64.0.0/16
212.9.7.0/24
213.13.26.0/24
213.192.0.0-213.192.255.255
216.184.97.0/24
216.76.35.0/24
217.118.224.0-217.118.239.255
217.160.110.0/24
218.164.28.0/24
218.234.0.0-218.239.255.255
218.252.74.0/24
218.67.128.0-218.76.255.255
219.115.214.0/24
219.212.4.0/24
219.56.0.0/24
219.97.93.0/24
220.0.0.0/8
222.0.0.0/8
41.221.19.0/24
60.0.0.0/8
61.135.148.0/24
61.175.239.0/24
61.181.0.0/16
61.218.19.0/24
61.33.206.0/24
61.48.18.0/24
62.154.0.0/17
62.240.161.0-62.240.161.127
64.230.125.0/24
66.250.125.0/24
66.250.32.0/24
66.28.35.131
66.57.133.0/24
71.184.44.154
78.48.8.16
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
85.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)