酷!學園

技術討論區 => 系統安全討論版 => 主題作者是: clchang 於 2003-11-24 20:35

主題: 此登入失敗訊息,入侵管道為何?
作者: clchang2003-11-24 20:35
各位學長好:
1.今天察看server事件檢示器安全性部分,發現有人嘗試各種使用者名稱及密碼組合想要登入server, 顯示錯誤訊息為
登入失敗:
事件ID:529
原因:使用者名稱不明或密碼錯誤
使用者: xxx
登入類型:3
網域:
登入處理:advapi
驗證封裝:MIcrosoft_Authentication_V1_0
工作站名稱:yyy(server的名字)
2. 自己嘗試重現此失敗行為
(1)使用terminal serveice遠端登入,顯示錯誤訊息中登入類型會為2,登入處理:USER32
(2)server上本機登入,顯示錯誤訊息中登入類型會為2,登入處理:USER32
(3)使用vpn遠端登入,顯示錯誤訊息中登入類型會為3且登入處理:IAS
多無法重現1.之現象
3.想請教學長的是1.之現象是透過何種管道入侵?總得知道入侵管道才有辦法防堵?登入處理:advapi是執行何種登入程式才會由此程式處理?
4. Server安裝windows server 2000 + ISA server 2000
主題: 此登入失敗訊息,入侵管道為何?
作者: clchang2003-11-29 00:19
主題: 此登入失敗訊息,入侵管道為何?
作者: clchang2003-11-29 20:35
找Google,看了將近200篇,找到一樣的問題,提到似乎在try server POP3 account,
星期一,將OWA關閉看看,有結果在向學長們報告
引用
Periodically we have attempts to gain access to our network. This is
observed in the event logs as Event ID's 529 with the workstation name being
the server. The attempts read like this:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date:  11/7/2003
Time:  7:04:02 PM
User:  NT AUTHORITY\SYSTEM
Computer: SERVERNAME (Not the real name)
Description:
Logon Failure:
  Reason:  Unknown user name or bad password
  User Name: abc
  Domain:
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: SERVERNAME (Not the real name)

It's obvious that it's some kind of program that is running that every 3
seconds tries a generic username like abc, data, backup, admin, sql ...

The logon type 3 is equal to "Network" versus lets say 2 which "Interactive"
as in a TS session.
These attacks usually last about 30 minutes or so.

What I'm confused about is these originating from outside or inside our
network. Is they're any way to detect a program that may be on our network?

Thanks,
Jimbo
回應留言

第 2 條留言
寄件者:Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@pacbell.net)
主旨:Re: Attempted Security Breaches
 
 
View this article only
網上論壇:microsoft.public.backoffice.smallbiz2000
日期:2003-11-09 12:50:01 PST
 

http://www.sbsfaq.com/news/getArticle.asp?MessageID=000000001A447390AA6611CD9BC800AA002FC45A0900E049B559A334DD479C5D360FB473600B0000000187180000F401C41B681A9640A459B27C5FF7E6840000B1E572030000

What ports do you have opened up?

Jimbo wrote:
> Periodically we have attempts to gain access to our network. This is
> observed in the event logs as Event ID's 529 with the workstation name being
> the server. The attempts read like this:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date:  11/7/2003
> Time:  7:04:02 PM
> User:  NT AUTHORITY\SYSTEM
> Computer: SERVERNAME (Not the real name)
> Description:
> Logon Failure:
>   Reason:  Unknown user name or bad password
>   User Name: abc
>   Domain:
>   Logon Type: 3
>   Logon Process: Advapi
>   Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>   Workstation Name: SERVERNAME (Not the real name)
>
> It's obvious that it's some kind of program that is running that every 3
> seconds tries a generic username like abc, data, backup, admin, sql ...
>
> The logon type 3 is equal to "Network" versus lets say 2 which "Interactive"
> as in a TS session.
> These attacks usually last about 30 minutes or so.
>
> What I'm confused about is these originating from outside or inside our
> network. Is they're any way to detect a program that may be on our network?
>
> Thanks,
> Jimbo
>
>  
--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt


回應留言

第 3 條留言
寄件者:Jimbo (jphelan@frontiernet.net)
主旨:Re: Attempted Security Breaches
 
 
View this article only
網上論壇:microsoft.public.backoffice.smallbiz2000
日期:2003-11-09 13:40:02 PST
 

We are not using ISA since we have a Cisco Firewall we do allow the
following ports:

smtp (25)
Pcanywhere (5631,5632)
Citrix (1494, 1601,3256)
TS (3389)
VPN (1723, 47)

We do not allow relaying, but the article makes me wonder. When we first
noticed these attempts they seemed to be geared at POP3 since there were
corraspnding errors in the Application log with login errors to non-existing
pop3 accounts. We have sinced disallowed POP3 access.
Thanks!





"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:ewjb9KwpDHA.2064@TK2MSFTNGP11.phx.gbl...
> http://www.sbsfaq.com/news/getArticle.asp?MessageID=000000001A447390AA6611CD9BC800AA002FC45A0900E049B559A334DD479C5D360FB473600B0000000187180000F401C41B681A9640A459B27C5FF7E6840000B1E572030000
>
> What ports do you have opened up?
>
> Jimbo wrote:
> > Periodically we have attempts to gain access to our network. This is
> > observed in the event logs as Event ID's 529 with the workstation name being
> > the server. The attempts read like this:
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date:  11/7/2003
> > Time:  7:04:02 PM
> > User:  NT AUTHORITY\SYSTEM
> > Computer: SERVERNAME (Not the real name)
> > Description:
> > Logon Failure:
> >   Reason:  Unknown user name or bad password
> >   User Name: abc
> >   Domain:
> >   Logon Type: 3
> >   Logon Process: Advapi
> >   Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >   Workstation Name: SERVERNAME (Not the real name)
> >
> > It's obvious that it's some kind of program that is running that every 3
> > seconds tries a generic username like abc, data, backup, admin, sql ...
> >
> > The logon type 3 is equal to "Network" versus lets say 2 which "Interactive"
> > as in a TS session.
> > These attacks usually last about 30 minutes or so.
> >
> > What I'm confused about is these originating from outside or inside our
> > network. Is they're any way to detect a program that may be on our network?
> >
> > Thanks,
> > Jimbo
> >
> >
>
> --
> "Don't lose sight of security. Security is a state of being,
> not a state of budget. He with the most firewalls still does
> not win. Put down that honeypot and keep up to date on your patches.
> Demand better security from vendors and hold them responsible.
> Use what you have, and make sure you know how to use it properly
> and effectively."
> ~Rain Forest Puppy
> http://www.wiretrip.net/rfp/txt/evolution.txt
>
回應留言