I just checked my Security logs on our remote access server and found the following. Is someone trying to hack my remote access server? as the ip looks like its coming from Korea?
Log Name: Security
Date: 15/08/2013 00:37:44
Event ID: 4625
Task Category: Logon
Keywords: Audit Failure
An account failed to log on.
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: DOMAIN
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: administrator
Account Domain: SERVER
Failure Reason: Unknown user name or bad password.
Sub Status: 0xc000006a
Caller Process ID: 0x8b8
Caller Process Name: C:\Windows\System32\winlogon.exe
Workstation Name: SERVERNAME
Source Network Address: 126.96.36.199
Source Port: 3637
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Quite possibly... keep an eye on it. If it persists you might be able to get your firewall configured to drop packets from it.
We've had our PaloAlto running in the wild for 3 days on our new connection and we're getting about 300 attempts a day to brute force the external management interface Its not going to work as the external interface won't accept connections except from specified addresses. We're also seeing attempts on our webserver, MIS external server, and mailserver from both smtp attempts and http. None of it is working as the Palo is cleverer than that!
We use the SWGFL for our filtering and firewall and they just suggested to change the system account name and password to something complex as well as keeping an eye out for any user accounts that may have been created.
Interestingly i have found IPs for Basildon in essex, London and hungary!
There are compromised systems out on the internet that will scan whole ip blocks looking for open ports to well known services (SSH, Telnet, FTP, Netbios, Kerberos, SIP, NIS, HTTP, etc) and once they find a system will attempt to brute force it via dictonary attacks. It's just a fact of life on the internet these days. So as long as you have your firewalls setup right it should not be an issue. On my Linux boxes I go beyond this though. I have IPTables rate limits, fail2ban, etc setup so these scans don't waste too many system resources..
Sounds me to like there is a device with conficker, I seem to remember that was a culprit for this.
Theres nothing showing in Sophos enterprise console though.
Originally Posted by glennda
But they are awful at detecting it, it could be somebody else's device, CCTV server anything.
Originally Posted by techie08
How was the attack vector for this server exposed - RDP?
Are there multiple instances of this event or just the one?
Yes it was. I have since blocked the RDP port on the firewall.
Originally Posted by Ephelyon
Did the event occur more than once?
Just slightly, every 2 seconds!
Does sound like a potential automated brute-force then...
There is this tool out on github call ts_block... Might want to look into it.