Tracing a break-in attempt

  • Thread starter Thread starter Tom Del Rosso
  • Start date Start date
T

Tom Del Rosso

Guest
On a SBS (2003 R1 standard) somebody has been trying to log in to the RWW as
webmaster during the past few days. It produces event ID 529 with logon
type 3, but the source IP doesn't seem to be recorded. The server has 2
NIC's, but not ISA.


--

Reply in group, but if emailing add another
zero, and remove the last word.
 
Re: Tracing a break-in attempt

Tom Del Rosso <td_01@att.net.invalid> wrote:
> On a SBS (2003 R1 standard) somebody has been trying to log in to the
> RWW as webmaster during the past few days. It produces event ID 529
> with logon type 3, but the source IP doesn't seem to be recorded.
> The server has 2 NIC's, but not ISA.

I'm presuming you have a good hardware firewall appliance between your
network & the internet - if so, you might check its logs. If you don't have
a firewall such as this - get one.
 
Re: Tracing a break-in attempt

To add to what Lanwench says, people will always try to break in to an
exposed interface. So you need:
- good password policy
- ideally lockout on failed attempts
- two factor authentication if it is really important
Anthony,
http://www.airdesk.co.uk




"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl...
> Tom Del Rosso <td_01@att.net.invalid> wrote:
>> On a SBS (2003 R1 standard) somebody has been trying to log in to the
>> RWW as webmaster during the past few days. It produces event ID 529
>> with logon type 3, but the source IP doesn't seem to be recorded.
>> The server has 2 NIC's, but not ISA.
>
> I'm presuming you have a good hardware firewall appliance between your
> network & the internet - if so, you might check its logs. If you don't
> have a firewall such as this - get one.
>
 
Re: Tracing a break-in attempt

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl
> Tom Del Rosso <td_01@att.net.invalid> wrote:
>> On a SBS (2003 R1 standard) somebody has been trying to log in to the
>> RWW as webmaster during the past few days. It produces event ID 529
>> with logon type 3, but the source IP doesn't seem to be recorded.
>> The server has 2 NIC's, but not ISA.
>
> I'm presuming you have a good hardware firewall appliance between your
> network & the internet - if so, you might check its logs. If you
> don't have a firewall such as this - get one.

Just a router there. SBS has a software firewall, and port 443 would have
to be open even with a firewall appliance.

Yeah it would be nice to have that logging, but it would also be nice if SBS
logged the IP when it logs the event. Evidently it doesn't.


--

Reply in group, but if emailing add another
zero, and remove the last word.
 
Re: Tracing a break-in attempt

And change password often :)

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Anthony" <anthony.spam@spammedout.com> wrote in message
news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl...
> To add to what Lanwench says, people will always try to break in to an
> exposed interface. So you need:
> - good password policy
> - ideally lockout on failed attempts
> - two factor authentication if it is really important
> Anthony,
> http://www.airdesk.co.uk
>
>
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl...
>> Tom Del Rosso <td_01@att.net.invalid> wrote:
>>> On a SBS (2003 R1 standard) somebody has been trying to log in to the
>>> RWW as webmaster during the past few days. It produces event ID 529
>>> with logon type 3, but the source IP doesn't seem to be recorded.
>>> The server has 2 NIC's, but not ISA.
>>
>> I'm presuming you have a good hardware firewall appliance between your
>> network & the internet - if so, you might check its logs. If you don't
>> have a firewall such as this - get one.
>>
>
>
 
Re: Tracing a break-in attempt

"Anthony" <anthony.spam@spammedout.com> wrote in message
news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl
> To add to what Lanwench says, people will always try to break in to an
> exposed interface. So you need:
> - good password policy
> - ideally lockout on failed attempts
> - two factor authentication if it is really important

Besides lockout from windows logons, it would be nice to lockout from failed
RWW logons, but that's not an option, is it?


--

Reply in group, but if emailing add another
zero, and remove the last word.
 
Re: Tracing a break-in attempt

maybe IIS logged would be helpful (not sure RWW is iis based)

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Tom Del Rosso" <td_01@att.net.invalid> wrote in message
news:eKTdOj05HHA.600@TK2MSFTNGP05.phx.gbl...
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl
>> Tom Del Rosso <td_01@att.net.invalid> wrote:
>>> On a SBS (2003 R1 standard) somebody has been trying to log in to the
>>> RWW as webmaster during the past few days. It produces event ID 529
>>> with logon type 3, but the source IP doesn't seem to be recorded.
>>> The server has 2 NIC's, but not ISA.
>>
>> I'm presuming you have a good hardware firewall appliance between your
>> network & the internet - if so, you might check its logs. If you
>> don't have a firewall such as this - get one.
>
> Just a router there. SBS has a software firewall, and port 443 would have
> to be open even with a firewall appliance.
>
> Yeah it would be nice to have that logging, but it would also be nice if
> SBS
> logged the IP when it logs the event. Evidently it doesn't.
>
>
> --
>
> Reply in group, but if emailing add another
> zero, and remove the last word.
>
>
 
Re: Tracing a break-in attempt

I don't know RWW, but if it is using Windows authentication I don't see why
not,
Anthony,
http://www.airdesk.co.uk



"Tom Del Rosso" <td_01@att.net.invalid> wrote in message
news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl...
> "Anthony" <anthony.spam@spammedout.com> wrote in message
> news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl
>> To add to what Lanwench says, people will always try to break in to an
>> exposed interface. So you need:
>> - good password policy
>> - ideally lockout on failed attempts
>> - two factor authentication if it is really important
>
> Besides lockout from windows logons, it would be nice to lockout from
> failed
> RWW logons, but that's not an option, is it?
>
>
> --
>
> Reply in group, but if emailing add another
> zero, and remove the last word.
>
>
 
Re: Tracing a break-in attempt

"Anthony" <anthony.spam@spammedout.com> wrote in message
news:OItfPb15HHA.3900@TK2MSFTNGP02.phx.gbl
> I don't know RWW, but if it is using Windows authentication I don't
> see why not,

I never came across an option to enable that, and it doesn't happen when
somebody fails to login. I assume it would have to block logins based on
the IP.


--

Reply in group, but if emailing add another
zero, and remove the last word.
 
Re: Tracing a break-in attempt

Technically speaking this isn't a targeted attack against you but
someone running a scan attack.

They are running up and down the IP range seeing if they can hit something.

Tom Del Rosso wrote:
> On a SBS (2003 R1 standard) somebody has been trying to log in to the RWW as
> webmaster during the past few days. It produces event ID 529 with logon
> type 3, but the source IP doesn't seem to be recorded. The server has 2
> NIC's, but not ISA.
>
>
 
Re: Tracing a break-in attempt

If account lockout is configured it works for RWW as well.
"Tom Del Rosso" <td_01@att.net.invalid> wrote in message
news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl...
> "Anthony" <anthony.spam@spammedout.com> wrote in message
> news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl
>> To add to what Lanwench says, people will always try to break in to an
>> exposed interface. So you need:
>> - good password policy
>> - ideally lockout on failed attempts
>> - two factor authentication if it is really important
>
> Besides lockout from windows logons, it would be nice to lockout from
> failed
> RWW logons, but that's not an option, is it?
>
>
> --
>
> Reply in group, but if emailing add another
> zero, and remove the last word.
>
>
 
Re: Tracing a break-in attempt

Thanks Tatat,
Tom, it it will only lock out if they try a valid name and fail on the
password. You are probably just seeing a random sweep. Obviously they will
try common names like Administrator and Test, and you can't lockout
Administrator which is why you must have a long and complex password for it.
Blocking IP's won't get you anywhere, but you can specify IP blocks on a
firewall or router,
Anthony,
http://www.airdesk.co.uk





"tatat" <default@nospam.com> wrote in message
news:tN5Ai.125$ZA5.91@nlpi068.nbdc.sbc.com...
> If account lockout is configured it works for RWW as well.
> "Tom Del Rosso" <td_01@att.net.invalid> wrote in message
> news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl...
>> "Anthony" <anthony.spam@spammedout.com> wrote in message
>> news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl
>>> To add to what Lanwench says, people will always try to break in to an
>>> exposed interface. So you need:
>>> - good password policy
>>> - ideally lockout on failed attempts
>>> - two factor authentication if it is really important
>>
>> Besides lockout from windows logons, it would be nice to lockout from
>> failed
>> RWW logons, but that's not an option, is it?
>>
>>
>> --
>>
>> Reply in group, but if emailing add another
>> zero, and remove the last word.
>>
>>
>
>
 
Re: Tracing a break-in attempt

Hello,

as best security, the administrator password would be renamed and disabled.
Each administrator would have two account:
-a standard user one for daily tasks (mail/web...)
-an administrator account (a different of each admins)


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Anthony" <anthony.spam@spammedout.com> wrote in message
news:el3FUk75HHA.5164@TK2MSFTNGP05.phx.gbl...
> Thanks Tatat,
> Tom, it it will only lock out if they try a valid name and fail on the
> password. You are probably just seeing a random sweep. Obviously they will
> try common names like Administrator and Test, and you can't lockout
> Administrator which is why you must have a long and complex password for
> it.
> Blocking IP's won't get you anywhere, but you can specify IP blocks on a
> firewall or router,
> Anthony,
> http://www.airdesk.co.uk
>
>
>
>
>
> "tatat" <default@nospam.com> wrote in message
> news:tN5Ai.125$ZA5.91@nlpi068.nbdc.sbc.com...
>> If account lockout is configured it works for RWW as well.
>> "Tom Del Rosso" <td_01@att.net.invalid> wrote in message
>> news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl...
>>> "Anthony" <anthony.spam@spammedout.com> wrote in message
>>> news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl
>>>> To add to what Lanwench says, people will always try to break in to an
>>>> exposed interface. So you need:
>>>> - good password policy
>>>> - ideally lockout on failed attempts
>>>> - two factor authentication if it is really important
>>>
>>> Besides lockout from windows logons, it would be nice to lockout from
>>> failed
>>> RWW logons, but that's not an option, is it?
>>>
>>>
>>> --
>>>
>>> Reply in group, but if emailing add another
>>> zero, and remove the last word.
>>>
>>>
>>
>>
>
>
 
RE: Tracing a break-in attempt

So how do you trace it further? I had had similar login failures (see an
earlier post) reported in the security event log, but I can't find further
information in other logfiles, eg IIS logs. So how can I tell where the login
is being atempted? How did you know it was RWW in your case?

"Tom Del Rosso" wrote:

> On a SBS (2003 R1 standard) somebody has been trying to log in to the RWW as
> webmaster during the past few days. It produces event ID 529 with logon
> type 3, but the source IP doesn't seem to be recorded. The server has 2
> NIC's, but not ISA.
>
>
> --
>
> Reply in group, but if emailing add another
> zero, and remove the last word.
>
>
>
 
Re: Tracing a break-in attempt

"emcc" <emcc@nospam.com> wrote in message
news:DB1A6C8D-CE87-4C82-853B-255894DB7316@microsoft.com
> So how do you trace it further? I had had similar login failures (see
> an earlier post) reported in the security event log, but I can't find
> further information in other logfiles, eg IIS logs. So how can I tell
> where the login is being atempted? How did you know it was RWW in
> your case?

RWW is the only thing opened that needs authentication. I mean SMTP doesn't
need it. There is no other site available for a login that I know of.


--

Reply in group, but if emailing add another
zero, and remove the last word.
 
Re: Tracing a break-in attempt

>>>>> "emcc" == emcc <emcc@nospam.com> writes:

emcc> So how do you trace it further? I had had similar login
emcc> failures (see an earlier post) reported in the security
emcc> event log, but I can't find further information in other
emcc> logfiles, eg IIS logs. So how can I tell where the login is
emcc> being atempted? How did you know it was RWW in your case?

How did you find this - by reviewing errors in the Event Log? If so,
you should also check the IIS logs. It should log the source IP
address and the error results (e.g., 401 for "access denied" errors,
and I think this includes logon failures).

Unfortunately, there's not much you can do beyond temporarily blocking
the source address (or addresses) at your firewall or within IIS. :(

Best wishes,
Matthew

--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
 
Re: Tracing a break-in attempt

Tom Del Rosso <td_01@att.net.invalid> wrote:
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl
>> Tom Del Rosso <td_01@att.net.invalid> wrote:
>>> On a SBS (2003 R1 standard) somebody has been trying to log in to
>>> the RWW as webmaster during the past few days. It produces event
>>> ID 529 with logon type 3, but the source IP doesn't seem to be
>>> recorded. The server has 2 NIC's, but not ISA.
>>
>> I'm presuming you have a good hardware firewall appliance between
>> your network & the internet - if so, you might check its logs. If you
>> don't have a firewall such as this - get one.
>
> Just a router there. SBS has a software firewall,

Yes, but if you're wise, you will not use that. Protect your network with a
decent appliance. I don't use two NICs if I'm not going to put ISA onthe
box - and I don't want to turn an already busy server into a router, nor
expose it to the Internet this way.

> and port 443 would
> have to be open even with a firewall appliance.
>
> Yeah it would be nice to have that logging, but it would also be nice
> if SBS logged the IP when it logs the event. Evidently it doesn't.
 
Re: Tracing a break-in attempt

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
message news:umdfytL6HHA.4584@TK2MSFTNGP03.phx.gbl
>
> Yes, but if you're wise, you will not use that. Protect your network
> with a decent appliance. I don't use two NICs if I'm not going to put
> ISA onthe box - and I don't want to turn an already busy server into
> a router, nor expose it to the Internet this way.

I know. Most of my LANs have a Sonicwall or Watchguard. It's hard to
convince some people when they say they got along without it before.


--

Reply in group, but if emailing add another
zero, and remove the last word.
 
Re: Tracing a break-in attempt

Tom Del Rosso <td_01@att.net.invalid> wrote:
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:umdfytL6HHA.4584@TK2MSFTNGP03.phx.gbl
>>
>> Yes, but if you're wise, you will not use that. Protect your network
>> with a decent appliance. I don't use two NICs if I'm not going to put
>> ISA onthe box - and I don't want to turn an already busy server into
>> a router, nor expose it to the Internet this way.
>
> I know. Most of my LANs have a Sonicwall or Watchguard. It's hard to
> convince some people when they say they got along without it before.

Definitely.
 
Re: Tracing a break-in attempt

On Aug 26, 4:22 am, "Mathieu CHATEAU" <gollum...@free.fr> wrote:
> Hello,
>
> as best security, the administrator password would be renamed and disabled.
> Each administrator would have two account:
> -a standard user one for daily tasks (mail/web...)
> -an administrator account (a different of each admins)
>
> --
> Cordialement,
> Mathieu CHATEAUhttp://lordoftheping.blogspot.com
>
> "Anthony" <anthony.s...@spammedout.com> wrote in message
>
>

AFAIK, renaming the Administrator account in SBS is just begging for
trouble.

Dave
 
Back
Top