From: John Ives (jivescchem.berkeley.edu)
Date: Thu Apr 03 2003 - 12:04:15 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To me, this has all the classic symptoms of an enumeration/password
guessing attack. Using a tool like enum, an attacker is able to get a list
of usernames and shares. It is possible, and even advisable, to restrict
this information. For instructions on how to do this see
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B143474. Just
keep in mind that some software NDS for NT, etc. need the null sessions
that are relied upon. If you can block access to the nbt ports (UDP 137
and 138, TCP 139 and UDP/TCP 445 if you also have any Win2k+ machines that
are getting attacked) at your border then I would do that. If you've
already done that then it appears someone has breached the border
protections either by physically accessing your network or by relaying the
attack through some machine inside your network. However, if the second
option is the case I would have expected them to be a little more subtle,
after all its possible to pick usernames and password hashes off the
network and crack them remotely (relative to your network). One tool that
is very nice and easy to use against individual targets, should you want to
find out how much information can be retrieved from your box, is nbtdump
(http://www.atstake.com/research/tools/info_gathering/) from stake. When
run against a box that allows enumeration, it generates a nice little html
page with shares (even hidden shares), usernames , how long it has been
since the user's password was changed and how many times the passwords has
been used to login.

What to really look for in your logs is a successful logon in the midst of
those failed attempts. Of course this requires that you log successes as
well as failures.

As for your actual question, the only time I have seen anything like this
in a relatively benign situation, the user didn't logoff and when her time
restrictions kicked in, the machine repeatedly attempted to get in because
of an automated process she was running. In that sort of scenario the
computer name in the event log correlates to the users actual computer.

Yours,

John Ives

>-----Original Message-----
>From: A. Naveira [mailto:anaveirahotmail.com]
>Sent: Monday, March 31, 2003 4:37 PM
>To: incidentssecurityfocus.com
>Cc: intrusionsincidents.org
>Subject: Logon/Logoff Failure Events
>
>
>I recently implemented the account lockout policy on my NT4 PDC (all my
>clients authenticate to this server) and encountered the following events in
>
>my security event log:
>
>1.User accounts continue to get locked (Event 539)
>2.Expired password accounts continue trying to log in to the network (Event
>535)
>3.Accounts restricted to specific workstations are trying to login to
>unidentified workstations that I can't seem to ID on my network (Event 533)
>AND
>4.Bad password attempts on existing accounts from unidentified workstations
>that I can't seem to ID on my network (Event 529)
>
>These events seem quite unsettling, as I see MULTIPLE failed attempts per
>second (more than humanly possible). Could this be an automated process
>(token authentication) that NT is running to authenticate services, apps, or
>
>other processes or, as I expect, could it be a script trying to guess user
>passwords? Has anyone encountered this previously in NT4 with benign
>sources?
>
>Ana
>
>_________________________________________________________________
>Add photos to your e-mail with MSN 8. Get 2 months FREE*.
>http://join.msn.com/?page=features/featuredemail
>
>----------------------------------------------------------------------------
>Powerful Anti-Spam Management and More...
>SurfControl E-mail Filter puts the brakes on spam,
>viruses and malicious code. Safeguard your business
>critical communications. Download a free 30-day trial:
>http://www.securityfocus.com/SurfControl-incidents

-------------------------------------------------
John Ives, GCWN
Systems Administrator
College of Chemistry
(510) 643-1033

"If you spend more on coffee than on IT security, Then you will be hacked.
What's more, you deserve to be hacked." - Richard Clarke special adviser
to the president on cybersecurity

Any opinions expressed are my own and not those of the Regents of the
University of California.

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]