NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2003-09

RE: Strange Windows logon attempts

From: David Harper (david.harperthermon.com)
Date: Wed Sep 24 2003 - 07:22:13 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FYI, we get these a lot as well, but we also see the same thing on our web
server. There it attempts to log on via the FTP service. Same modus
operandi, just a different service. I'd keep a close watch on any Internet
facing servers to see if it's trying to hit any of them on a different
service.

-----Original Message-----
From: chris emer [mailto:chrishostmysite.com]
Sent: Tuesday, September 23, 2003 12:36 PM
To: incidentssecurityfocus.com
Subject: Re: Strange Windows logon attempts

In-Reply-To: <005301c37885$80b45030$0101010anmi.net>

I have noticed on one of our servers that there were many attempts to login
as "webmaster" in a very short time period. I checked 3 other servers and
found the same thing. The time range for the attempted login was between the
19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and
they never got in. They showed up in the event log with a Event ID of 100
and a source SMTPSVC.

I am keeping a close eye on this, any additional help or suggestions would
be great.

Chris

>Received: (qmail 7172 invoked from network); 11 Sep 2003 17:07:36 -0000

>Received: from outgoing2.securityfocus.com (205.206.231.26)

> by mail.securityfocus.com with SMTP; 11 Sep 2003 17:07:36 -0000

>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])

> by outgoing2.securityfocus.com (Postfix) with QMQP

> id 5E79F8F2DE; Thu, 11 Sep 2003 05:11:53 -0600 (MDT)

>Mailing-List: contact incidents-helpsecurityfocus.com; run by ezmlm

>Precedence: bulk

>List-Id: <incidents.list-id.securityfocus.com>

>List-Post: <mailto:incidentssecurityfocus.com>

>List-Help: <mailto:incidents-helpsecurityfocus.com>

>List-Unsubscribe: <mailto:incidents-unsubscribesecurityfocus.com>

>List-Subscribe: <mailto:incidents-subscribesecurityfocus.com>

>Delivered-To: mailing list incidentssecurityfocus.com

>Delivered-To: moderator for incidentssecurityfocus.com

>Received: (qmail 743 invoked from network); 11 Sep 2003 10:54:50 -0000

>From: "Chris Harrington" <cmhnmi.net>

>To: <incidentssecurityfocus.com>

>Subject: Strange Windows logon attempts

>Date: Thu, 11 Sep 2003 12:55:27 -0400

>Message-ID: <005301c37885$80b45030$0101010anmi.net>

>MIME-Version: 1.0

>X-Priority: 3 (Normal)

>X-MSMail-Priority: Normal

>X-Mailer: Microsoft Outlook, Build 10.0.2627

>Content-Type: multipart/signed;

> protocol="application/x-pkcs7-signature";

> micalg=SHA1;

> boundary="----=_NextPart_000_004E_01C37863.F9688D60"

>In-Reply-To: <20030910152212.32524.qmailsf-www2-symnsj.securityfocus.com>

>Importance: Normal

>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

>------=_NextPart_000_004E_01C37863.F9688D60

>Content-Type: text/plain;

> charset="US-ASCII"

>Content-Transfer-Encoding: 7bit

>All,

>A customer notified us that someone / something tried to log into one of

>their servers repeatedly but failed. It appears to be some sort of

>script since it tried 6 usernames with 23 passwords in under 2 minutes.

>The event log is a typical 529 event ID. The logon type was 3 (network)

>and the logon process was advapi. I generally see this when someone

>tries to log in to IIS using cleartext authentication. There is no

>evidence in the w3svc logs of these attempts. There were no successful

>logins using that logon process.

>This server is an Exchange server with port 25 accessible from the

>Internet. I have verified this is the only port open by scan and

>firewall rules.

>1. Can anyone access the advapi (or any domain login process) over port

>25 on an Exchange server? I did not think that SMTP AUTH could do that..

>2. What other common programs use the advapi call for authentication?

>The usernames that were tried are webmaster, admin, root, test, master,

>web. Each one was tried in that order with 23 passwords, all failed.

>3. Does anyone know what script / app / virus / worm that could be?

>Any insights??

>Thanks,

>--Chris

>------=_NextPart_000_004E_01C37863.F9688D60

>Content-Type: application/x-pkcs7-signature;

> name="smime.p7s"

>Content-Transfer-Encoding: base64

>Content-Disposition: attachment;

> filename="smime.p7s"

>MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKGzCCAjw
w

>ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQY
D

>VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ
0

>aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzA
J

>BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJ
s

>aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQA
w

>gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIe
a

>BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMX
g

>1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHL
m

>lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6
Z

>SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX
4

>RTCCA2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1U
E

>BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyB
Q

>cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjI
z

>NTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnV
z

>dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29
y

>cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEl
u

>ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQE
B

>BQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu
5

>SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOP
M

>xpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADB
H

>BgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20
v

>cmVwb3NpdG9yeS9SUEEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20
v

>cGNhMS5jcmwwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAO
B

>gQACfZ5vRUs4oLje6VNkIbzkTCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveF
T

>cFKH56jYUulbLarh3s+sMVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzU
T

>cudAMZrTssSr51a+i+P7FTCCBHEwggPaoAMCAQICECbAvFdyqJEJOyDXl4cnIVcwDQYJKoZIhvc
N

>AQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnV
z

>dCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29
y

>cC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEl
u

>ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDMwNzA4MDAwMDA
w

>WhcNMDQwNzA3MjM1OTU5WjCCARUxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZ
W

>ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXR
v

>cnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJzb25hIE5
v

>dCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29mdCBGdWx
s

>IFNlcnZpY2UxHzAdBgNVBAMUFkNocmlzdG9waGVyIEhhcnJpbmd0b24xGjAYBgkqhkiG9w0BCQE
W

>C2NtaEBubWkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmEQ6mL9BFMEPqs7eKTY1
b

>6xeACtBjLliHOZ20copZKKYE9BLqU+JSEvUHJTEjNdB0W/qS2qoWBw7txNrO/vY08CwAMa4s/qo
P

>4ckhQmtPVRcbX3jO7163rME6YPmtwPXF8sdvcql+7eqnk1nbQcqD/CI9gZpgEnikdmnGmRaSeQI
D

>AQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjA
o

>BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBU
W

>DlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmN
l

>IGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCo
w

>KKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQA
D

>gYEAeeRzCKM9Sxz5HTdwD+Izn80NedtiPmpvZjxjFGGqRkQIl5rek3+2SxrT6N75bNXxNBEzc1m
P

>tHhHE6jfVx7cEjkhpWitj+GwPDbXjDr6ROeu5L2fb2fM1fJ/XY+nW/7mt12VN4UO4xrSn6CywiJ
U

>ABUEnvoOHmh6tfUihmx+vx4xggQ+MIIEOgIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEl
u

>Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2l
n

>bi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgN
V

>BAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm9
0

>IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzAJBgUrDgMCGgUAoIICsjAYBgkqhkiG9w0BCQM
x

>CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzA5MTExNjU1MjdaMCMGCSqGSIb3DQEJBDE
W

>BBRHOwyRKerRibv7cko60Roy69vMlTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMAcGBSs
O

>AwIaMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgI
B

>KDAKBggqhkiG9w0CBTCB8gYJKwYBBAGCNxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiw
g

>SW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcml
z

>aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEY
G

>A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSB
O

>b3QgVmFsaWRhdGVkAhAmwLxXcqiRCTsg15eHJyFXMIH0BgsqhkiG9w0BCRACCzGB5KCB4TCBzDE
X

>MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcms
x

>RjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWY
u

>LExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCB
T

>dWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQJsC8V3KokQk7INeXhychVzANBgkqhki
G

>9w0BAQEFAASBgC0y5wnhIfSocNGRIofB/ZXVM5spyD5JAbo+2QzNFDoiX4eHxw2+YMfpZxhhnn2
C

>EUBhDEt1sFtiuG0A3h8lSGbAGsw3jRbpqj7NLt3StaEM2WQlwyyU3bUDoaeTkWOjrvsyYi66q0w
Q

>+H7S9hDS2c4f8t6oNSJJjVjoYg51/DB0AAAAAAAA

>------=_NextPart_000_004E_01C37863.F9688D60--

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]