Denial of service attack plus unauthorised user trying to logon to SBS server.

Discussion in 'Windows Small Business Server' started by Derek, Sep 11, 2008.

  1. Derek

    Derek Guest

    Hi SBS Group,

    There are 2 things: 1 was an unknown user trying to logon, last attemp on
    10th Spet2008 22:32. 2nd thing is a Denial Of Service type attack from many
    many IP addresses to the ADSL router's internet IP address all to port
    57740.

    First is the security log from the performance report I am emailed each day,
    which is below. There is no user called "alex".

    Source Event ID Last Occurrence Total Occurrences
    Security 529 10/09/2008 22:32 92 *
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: alex
    Domain:
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: xxxhiddenxxx
    Caller User Name: xxxhiddenxxx$
    Caller Domain: xxxhiddenxxx
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 1836
    Transited Services: -
    Source Network Address: -
    Source Port: -



    2nd: DOS Type Attack on the same site.

    There was a Denial of Service type attack this morning on a router that
    provides the internet ADSL connection for this small business running
    Windows SBS2003. I've not had this before in my limited experience. The
    router was probed 2 times per second over approx 1 hour. During this time I
    received 235 emails each containing approx 20 IP addresses. Here is an
    example of one of the emails from the router:

    TCP Packet - Source:24.80.171.212,61936 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:99.231.156.216,3745 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:64.46.25.226,41500 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:71.127.63.127,50157 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:24.80.171.212,61936 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:24.231.40.71,1464 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:83.114.28.232,1189 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:91.194.239.59,1491 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:64.46.25.226,41500 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:24.231.40.71,1464 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:71.127.63.127,50157 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:217.171.129.76,50295 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:83.114.28.232,1189 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:84.94.215.254,56289 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:114.108.220.204,4303 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:24.80.171.212,61936 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:78.149.133.65,60693 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:93.110.137.104,3778 Destination:89.240.xxx.xxx,57740 -
    [DOS]
    TCP Packet - Source:69.205.30.44,3279 Destination:89.240.xxx.xxx,57740 -
    [DOS]

    I've put in xxx.xxx in order to hide the IP address.

    The router is setup to email the logs to myself, which it has done, and I'm
    just wondering what do I do with them now.
    Is there a police group I should send them to that track this sort of thing?
    Why would they attack port 57740?
    Is there a program that uses this port which has a known weakness?

    The "attack" started at11th Sept 2008 at 4:25am and almost stopped at
    5:30am, but a few more came through until 8:35am.

    Any info or suggestions please?

    Thanks.
     
    Derek, Sep 11, 2008
    #1
    1. Advertisements

  2. Derek

    Derek Guest

    Thanks for the reply Russ.

    Router ports: yes only those are open but we do have 80 forwarding to a CCTV
    system remote viewer. Maybe it's time to change that to another port? It
    is also password protected as it is. It's been put on port 80 for ease of
    use for the customer when using a web browser. They use http for CCTV and
    https for RWW.

    Non-static IP address: The IP at this site is non-static, using a dyndns
    service for remote connection. Perhaps the previous user was a file sharer,
    game hoster, or doing some other activity and using port 57740, hence the
    connection attempts.

    The attempted logon's to the server, is it possible to tell if these are RWW
    or from someone at the terminal, or even if it's from within the LAN or else
    the WAN? Here is the log in the hope you can tell from it:

    Source Event ID Last Occurrence Total Occurrences
    Security 529 12/09/2008 07:36 243 *
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: administrator
    Domain:
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: [server name]
    Caller User Name: [server name]$
    Caller Domain: [correct doman]
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 1836
    Transited Services: -
    Source Network Address: -
    Source Port: -

    * [server name] and [correct domain] are the names of the server and the
    domain, I've just changed for posting here.

    Summary:
    1 - thanks for reassurance of the "port probe/DOS", passwords should protect
    against that.
    2 - The Administrator logon failures, I'm assuming that this is also ok so
    long as the password is secure, but is it from within the LAN or the WAN?

    Thanks.



     
    Derek, Sep 12, 2008
    #2
    1. Advertisements

  3. Derek

    Teneo Guest

    Hi Derek

    Firstly MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 is related to SMTP / testing
    to use you as an open relay. Sorry Russ your link was for XP only. Switch on
    SMTP logging on properties of Virtual SMTP Server and you will find the log
    showing port 25 and the IP attempting which you can block.

    The DOS attack is a BIG concern and you have to understand why you have a
    DOS attack. You have so many probes because a hacker has found a possible
    hole and is probing it. And a later post I think you hit the nail on the
    head. The camera at port 80, if a hacker finds port 80, especially on a
    windows based system they will goto town on that system. Please change the
    camera from port 80.

    If anyone gets a big scan then there is something that attracted the hacker
    and it is prudent to investigate and ask WHY did you get attacked / probed,
    what did they find..

    Hope this helps.




     
    Teneo, Sep 13, 2008
    #3
  4. Derek

    Derek Guest

    Thanks for your reply.

    Just confirming that the user "alex" doesn't exist at the site, it looks
    like someone was trying to logon with that name. It just occurred to me
    that I will have to check their wireless network to make sure it's secure.
    I'm fairly sure there is WPA, but I will check.

    Thanks very much for your replies Russ, they have been helpful, informative
    and educational!

    Kind regards.
    Derek.

     
    Derek, Sep 13, 2008
    #4
  5. Derek

    Derek Guest

    Hi Teneo,

    I've just seen your post. I'll talk to the boss there and advise him we
    move the CCTV from port 80 to another port.


    *** Non-Static Internet IP Address: ***
    The thing I was most surprised by was the probes were trying port 57740 for
    an hour, 2x per second. I don't know of any service running on that port.
    The Internet IP address is NON Static, I was guessing that maybe the IP
    address changed at that point and we ended up with the IP address of a P2P
    file sharer who was using port 57740, or someone hosting a game, or some
    other service. And that these probes were from others still trying to
    connect to that "new" IP address from the previous user?

    2x per second probes from different IP addresses, I'm guessing that this is
    not enough to be a true DOS attack, but then I really don't know about this.
    It's a standard ADSL router supplied by the ISP with some port forwarding
    and basic firewall capability.

    To Do: Change the CCTV from port 80 to another port number. Anything else?

    Thanks guys for your posts, they've been very helpful. This group is great.


     
    Derek, Sep 14, 2008
    #5
  6. Yes, I can't identify 57740 as any particular game, or exploit, and there is
    a bit of up and down according to the Internet Storm Center (isc.sans.org)
    but not such that it would cause concern.

    With the dynamic IP I'd have to suggest assuming a game/P2P is fair. I can
    actually see some torrent files using the port, but of course that could be
    just the search parameter, you could probably find a torrent operating on
    any port number.

     
    SuperGumby [SBS MVP], Sep 14, 2008
    #6
  7. Hello Derek,

    Thank you for posting here.

    According to your description, I understand that:

    You receive the Event ID 529 on the SBS server that indicate the
    authentication failure. You also notice that remote hosts (containing
    approx 20 IP addresses) tries to connect the router on TCP port 2 times per
    second.

    If I have misunderstood the problem, please don't hesitate to let me know.

    Question 1
    =======
    The "advapi" API is a logon process. The failure audit indicates that there
    is a process or application making a call to LogonUser that has sent wrong
    credentials (non-existing user account ALEX). Typically, you can safely
    ignore this event log that it just means a logon attempt fails. It will be
    logged when a user try to log onto the domain with a account named ALEX
    that does not exist in the domain. If you want to find out the exact
    process on exact computer that has sent wrong credentials, you can refer to
    the following steps:

    a) Get the Workstation Name field.

    Workstation Name: xxxhiddenxxx

    b) On that specific computer, run the following command to find out the
    process with PID 1836.

    tasklist |find "1836"


    More information about User Authentication Auditing, you may refer to:

    305822 Failure Events Are Logged When the Welcome Screen Is Enabled
    http://support.microsoft.com/kb/305822

    174073 Auditing User Authentication
    http://support.microsoft.com/kb/174073

    Microsoft Windows 2000 Server and Windows Server 2003: Password and Account
    Lockout Features
    http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/
    en%2Fwc022703%2Fwct022703.asp

    Question 2
    ==========
    Based on my research, there hasn't a known service/worm/virus using TCP
    port 57740. You may encounter Distributed Denial of Service (DDoS) attacks
    on the router. It can have an effect on the performance of the router.
    Pease verify whether you have configured port mapping on the TCP port 57740
    to redirect the traffic to internal computers. If not, you can safely
    ignore it as long as the router performance is not greatly affected.

    Distributed Denial of Service Attacks
    http://technet.microsoft.com/en-us/library/cc722942.aspx

    Just for your reference, if you encounter any deny of service attack on SBS
    server you may refer to the following Microsoft Knowledge Base article to
    harden the TCP/IP stack:

    324270 How to harden the TCP/IP stack against denial of service attacks
    in Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;324270


    Hope it helps. Also If you have any questions or concerns, please do not
    hesitate to let me know.




    Best regards,
    Miles Li

    Microsoft Online Partner Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Miles Li [MSFT], Sep 15, 2008
    #7
  8. Derek

    Derek Guest

    Thank you very much for your reply Miles Li.

    Q1 - I will check using the method you mention below, if I find anything
    unusual I will report it back here later on today.

    Q2 - Confirmation that port 57740 is not configured on that router at all.
    All inbound ports are closed apart from approx 5 for the SBS server and 1 at
    port 80 for the CCTV. The owner should be getting back to me some time
    today about moving that port to something outside of the 1024 port number
    range.

    Thanks again to all of you, especially those who have replied. I hope my
    questions and your answers help others in the group.

    I will reply back soon with an update.

    Regards,
    Derek.
     
    Derek, Sep 15, 2008
    #8
  9. Hello Derek,

    Please take your time to have a check. If there is any update on this
    issue, please do not hesitate to let me know.

    Best regards,
    Miles Li

    Microsoft Online Partner Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Miles Li [MSFT], Sep 16, 2008
    #9
  10. Hello,

    Thanks for the update. I appreciate your time on this issue.

    Yes, it is acceptable that the port 57740 is queried on the IP because of
    being assigned a P2P sharer's IP address occasional. A normal service will
    not use such a high port except some P2P software.

    About the Event ID 529, please do not hesitate to post back when there is
    any updates. I am sure that it will also help to give the general idea for
    those users that have the similar issues.


    Best regards,
    Miles Li

    Microsoft Online Partner Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Miles Li [MSFT], Sep 19, 2008
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.