+ Post New Thread
Results 1 to 13 of 13
Windows Server 2008 R2 Thread, attempted hacking? in Technical; I just checked my Security logs on our remote access server and found the following. Is someone trying to hack ...
  1. #1

    Join Date
    May 2008
    Posts
    525
    Thank Post
    18
    Thanked 8 Times in 8 Posts
    Rep Power
    16

    attempted hacking?

    I just checked my Security logs on our remote access server and found the following. Is someone trying to hack my remote access server? as the ip looks like its coming from Korea?


    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 15/08/2013 00:37:44
    Event ID: 4625
    Task Category: Logon
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: SERVER.DOMAIN.local
    Description:
    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: SERVERNAME$
    Account Domain: DOMAIN
    Logon ID: 0x3e7

    Logon Type: 10

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: administrator
    Account Domain: SERVER

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc000006a

    Process Information:
    Caller Process ID: 0x8b8
    Caller Process Name: C:\Windows\System32\winlogon.exe

    Network Information:
    Workstation Name: SERVERNAME
    Source Network Address: 121.156.133.203
    Source Port: 3637

    Detailed Authentication Information:
    Logon Process: User32
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

  2. #2

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,988
    Thank Post
    842
    Thanked 585 Times in 457 Posts
    Rep Power
    276
    Quite possibly... keep an eye on it. If it persists you might be able to get your firewall configured to drop packets from it.

    We've had our PaloAlto running in the wild for 3 days on our new connection and we're getting about 300 attempts a day to brute force the external management interface Its not going to work as the external interface won't accept connections except from specified addresses. We're also seeing attempts on our webserver, MIS external server, and mailserver from both smtp attempts and http. None of it is working as the Palo is cleverer than that!

  3. #3

    Join Date
    May 2008
    Posts
    525
    Thank Post
    18
    Thanked 8 Times in 8 Posts
    Rep Power
    16
    We use the SWGFL for our filtering and firewall and they just suggested to change the system account name and password to something complex as well as keeping an eye out for any user accounts that may have been created.

    Interestingly i have found IPs for Basildon in essex, London and hungary!

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,819
    Thank Post
    110
    Thanked 589 Times in 510 Posts
    Blog Entries
    1
    Rep Power
    226
    There are compromised systems out on the internet that will scan whole ip blocks looking for open ports to well known services (SSH, Telnet, FTP, Netbios, Kerberos, SIP, NIS, HTTP, etc) and once they find a system will attempt to brute force it via dictonary attacks. It's just a fact of life on the internet these days. So as long as you have your firewalls setup right it should not be an issue. On my Linux boxes I go beyond this though. I have IPTables rate limits, fail2ban, etc setup so these scans don't waste too many system resources..

  5. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    Sounds me to like there is a device with conficker, I seem to remember that was a culprit for this.

  6. #6

    Join Date
    May 2008
    Posts
    525
    Thank Post
    18
    Thanked 8 Times in 8 Posts
    Rep Power
    16
    Quote Originally Posted by glennda View Post
    Sounds me to like there is a device with conficker, I seem to remember that was a culprit for this.
    Theres nothing showing in Sophos enterprise console though.

  7. #7

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    Quote Originally Posted by techie08 View Post
    Theres nothing showing in Sophos enterprise console though.
    But they are awful at detecting it, it could be somebody else's device, CCTV server anything.

  8. #8

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,746
    Thank Post
    312
    Thanked 355 Times in 216 Posts
    Rep Power
    147
    How was the attack vector for this server exposed - RDP?

    Are there multiple instances of this event or just the one?

  9. #9

    Join Date
    May 2008
    Posts
    525
    Thank Post
    18
    Thanked 8 Times in 8 Posts
    Rep Power
    16
    Quote Originally Posted by Ephelyon View Post
    How was the attack vector for this server exposed - RDP?

    Are there multiple instances of this event or just the one?
    Yes it was. I have since blocked the RDP port on the firewall.

  10. #10

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,746
    Thank Post
    312
    Thanked 355 Times in 216 Posts
    Rep Power
    147
    Did the event occur more than once?

  11. #11

    Join Date
    May 2008
    Posts
    525
    Thank Post
    18
    Thanked 8 Times in 8 Posts
    Rep Power
    16
    Just slightly, every 2 seconds!

  12. #12

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,746
    Thank Post
    312
    Thanked 355 Times in 216 Posts
    Rep Power
    147
    Does sound like a potential automated brute-force then...

  13. #13
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    504
    Thank Post
    44
    Thanked 74 Times in 69 Posts
    Rep Power
    22
    There is this tool out on github call ts_block... Might want to look into it.

SHARE:
+ Post New Thread

Similar Threads

  1. How to secure a wireless network against hacking attempts?
    By Thelps in forum Wireless Networks
    Replies: 7
    Last Post: 22nd January 2013, 01:29 PM
  2. Website hacked...
    By _Bat_ in forum Web Development
    Replies: 8
    Last Post: 27th July 2007, 09:17 AM
  3. Replies: 34
    Last Post: 9th May 2006, 12:56 PM
  4. Video demonstrating hacking WEP in 10mins
    By Geoff in forum Wireless Networks
    Replies: 11
    Last Post: 3rd February 2006, 06:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •