bad things in netlogon file/event log

Printable View

April 14th, 2006, 05:57 PM
jibba

bad things in netlogon file/event log

First off, I'd like to give a "How do ya do?" to the forums. I just found the site and am eagerly awaiting the time that I can delve into the security tutorials available on the boards. I appreciate any comments in re my post...

I came back from vacation and got slammed with work (what else is new..) but eventually made my way to do my pseudo-periodic check of several output files from a script that parses the netlogon log for attempted logons with invalid user names or invalid passwords. I found many, many entries (approx 1-2 per second) that look like this:

03/20 18:03:21 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064
03/20 18:03:22 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064
03/20 18:03:22 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064
03/20 18:03:23 [LOGON] SCL: SamLogon: Interactive logon of SCL\Administrator from EXCHANGE Returns 0xC0000064

Obviously we do not have an account named administrator (it has been renamed). They do not occur each day (nor is there a specific pattern that I can see as to the days/times they do occur) and the attempts to logon last for exactly 20 minutes. Here is what I see in the Security event log at the times that these attempted logons occur:

4/13/2006,12:48:55 AM,Security,Failure Audit,Logon/Logoff ,529,NT AUTHORITY\SYSTEM,EXCHANGE,"Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: SCL
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: EXCHANGE
Caller User Name: EXCHANGE$
Caller Domain: SCL
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1900
Transited Services: -
Source Network Address: -
Source Port: -

I am also noticing Sec event log entries on clients that say users are logging onto the clients when there is no activity the user is initiating. They are logon type 3 (Kerberos) and log off after about 10 seconds. This does not occur on all the clients, only a few. I'm not sure if this is related but thought it best to include the info.

I've attached a .txt with the parsed failed logons. You will notice other domain/usernames attempting to logon. Again, I'm not sure they are related.

"Exchange" is a DC that also has a website and exchange 2003 on it. Yes, I know that is a security risk but I inherited the network a few months ago and will not be able to install more servers for a few more months....

Where do I go/what can I do to resolve this? :confused:

I appreciate the feedback...

***Edit: The .txt is too large to attach. I can mail it if anyone needs it.
April 14th, 2006, 06:35 PM
thehorse13

This looks like worm/bot activity. I think you have bigger issues than this log problem.

Have you any kind of traffic analyser available?

--Th13
April 14th, 2006, 06:46 PM
jibba

Other than "network monitor" on the server, no, I don't have a program that can be installed on the server itself.

I do have a red hat box with ethereal installed....

I also failed to mention that the same log entries have occured with SCL\root rather than SCL\Administrator. SCL is also our legit domain name.

What are you referring to when you say I have bigger problems than the log entries?
April 14th, 2006, 06:50 PM
thehorse13

how many windows boxes do you know that have a "root" account?

Again, looks like worm or bot activity. Any way to spot the source address of the host sending these requests in? I mean, the domain controller running netmon can capture this information very easily. That is, if it still is happening.
April 14th, 2006, 06:58 PM
jibba

lol. I don't know of any win boxes with a root account.

I'll run network monitor on the box and see what comes up. good call, i should have thought of that as the next step. anything specific/general that I should look for?
April 14th, 2006, 07:23 PM
thehorse13

failed login attempts and source addresses of those attempts.
April 14th, 2006, 08:24 PM
Tiger Shark

Do you have a server, (or workstation I suppose), called EXCHANGE on the same network? Does it have a user called administrator?

Because that looks a lot like another computer trying to access this particular one rather than someone trying to access it.

I'm guessing that the computer showing these log entries is on the trusted network and so is the computer called EXCHANGE.
April 14th, 2006, 09:25 PM
jibba

We have one computer on the trusted network called Exchange. That is a DC. There are no clients or other servers (obviously) called Exchange.

All of the clients have the Administrator account enabled.
April 14th, 2006, 10:20 PM
rapier57

I think what horsie is alluding to with the "bigger issues" is that you likely have something monitoring some of your client workstations (the Kerb logins), probably through a local admin account (not necessarily Administrator) that didn't have a tough enough password. You may have a netcat remote session or mIRC environment running on them to leverage into the rest of the network.

Check that all the services are communicating on the server as they are supposed to. You will need to set up an Ethereal on a hub or on the router so that it can see all the traffic in and out of the network so you can see if the login attempts are coming from outside or inside your network. If they are coming from outside, that is a brute force attack at the administrator account. If it is coming from inside, you may have a compromised workstation that is doing the dirty work. However, there must be some traffic through the network to indicate the remote controller for this activity.

Those systems that are showing the periodic logins may be needing a good safe mode scan to see what is on them.