To me, this has all the classic symptoms of an enumeration/password guessing attack. Using a tool like enum, an attacker is able to get a list of usernames and shares. It is possible, and even advisable, to restrict this information. For instructions on how to do this see http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B143474. Just keep in mind that some software NDS for NT, etc. need the null sessions that are relied upon. If you can block access to the nbt ports (UDP 137 and 138, TCP 139 and UDP/TCP 445 if you also have any Win2k+ machines that are getting attacked) at your border then I would do that. If you've already done that then it appears someone has breached the border protections either by physically accessing your network or by relaying the attack through some machine inside your network. However, if the second option is the case I would have expected them to be a little more subtle, after all its possible to pick usernames and password hashes off the network and crack them remotely (relative to your network). One tool that is very nice and easy to use against individual targets, should you want to find out how much information can be retrieved from your box, is nbtdump (http://www.atstake.com/research/tools/info_gathering/) from @stake. When run against a box that allows enumeration, it generates a nice little html page with shares (even hidden shares), usernames , how long it has been since the user's password was changed and how many times the passwords has been used to login. What to really look for in your logs is a successful logon in the midst of those failed attempts. Of course this requires that you log successes as well as failures. As for your actual question, the only time I have seen anything like this in a relatively benign situation, the user didn't logoff and when her time restrictions kicked in, the machine repeatedly attempted to get in because of an automated process she was running. In that sort of scenario the computer name in the event log correlates to the users actual computer. Yours, John Ives >-----Original Message----- >From: A. Naveira [mailto:anaveiraat_private] >Sent: Monday, March 31, 2003 4:37 PM >To: incidentsat_private >Cc: intrusionsat_private >Subject: Logon/Logoff Failure Events > > >I recently implemented the account lockout policy on my NT4 PDC (all my >clients authenticate to this server) and encountered the following events in > >my security event log: > >1.User accounts continue to get locked (Event 539) >2.Expired password accounts continue trying to log in to the network (Event >535) >3.Accounts restricted to specific workstations are trying to login to >unidentified workstations that I can't seem to ID on my network (Event 533) >AND >4.Bad password attempts on existing accounts from unidentified workstations >that I can't seem to ID on my network (Event 529) > >These events seem quite unsettling, as I see MULTIPLE failed attempts per >second (more than humanly possible). Could this be an automated process >(token authentication) that NT is running to authenticate services, apps, or > >other processes or, as I expect, could it be a script trying to guess user >passwords? Has anyone encountered this previously in NT4 with benign >sources? > >Ana > >_________________________________________________________________ >Add photos to your e-mail with MSN 8. Get 2 months FREE*. >http://join.msn.com/?page=features/featuredemail > >---------------------------------------------------------------------------- >Powerful Anti-Spam Management and More... >SurfControl E-mail Filter puts the brakes on spam, >viruses and malicious code. Safeguard your business >critical communications. Download a free 30-day trial: >http://www.securityfocus.com/SurfControl-incidents ------------------------------------------------- John Ives, GCWN Systems Administrator College of Chemistry (510) 643-1033 "If you spend more on coffee than on IT security, Then you will be hacked. What's more, you deserve to be hacked." - Richard Clarke special adviser to the president on cybersecurity Any opinions expressed are my own and not those of the Regents of the University of California. ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:58:58 PST