Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to track hackers during dictionary attacks? 1

Status
Not open for further replies.
Ovatvvon

Ovatvvon

Programmer
Feb 1, 2001
1,514
US
Hello all,

I have been undergoing attacks for the past few days of someone (or, some entity) trying dictionary attacks on my SA account of my SQL Server. Since then, I deactivated the SA account and went with purly NT Accounts Authentication. Now, they have been trying to log into random accounts guessing at different passwords. I've blocked IP's as I've seen them come in in floods, but for random tries, it's harder to locate the source IP and such.

Is there a way to do any and/or all of the following?...

1) See what passwords have been attempted by these users during all the attempts.
2) Track where the source is of this attempt to logon.
3) Do something to stop this person / these people from continuing further attacks from different computers, etc.

Here is a sample of a couple audits from my event viewer (Any help in this matter would be GREATLY appreciated) Thank you!!!


Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 12/12/2004
Time: 3:00:24 AM
User: N/A
Computer: WEB
Description:
The server was unable to logon the Windows NT account 'administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: Data:
0000: 2e 05 00 00



Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 12/12/2004
Time: 3:00:24 AM
User: N/A
Computer: WEB
Description:
The server was unable to logon the Windows NT account 'webmaster' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: Data:
0000: 2e 05 00 00



Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 12/12/2004
Time: 3:00:24 AM
User: N/A
Computer: WEB
Description:
The server was unable to logon the Windows NT account 'root' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: Data:
0000: 2e 05 00 00



-Ovatvvon :-Q
 
Sort by date Sort by votes
What conduit are they using for the attempted login?

If the attack is external, it's gotta go through a firewall somewhere; a dictionary attack should have pages of connections from a single IP.

If it's being attempted through HTTP, check your weblogs for lots of strangely-crafted URLS. These URLS will often bear the attempted passwords within them.

The key is to realize how this person is attempting to do this, and then checking the logs and tightening security along every step. Often with attacks that brazen the source is a RIPE IP from overseas. If that's the case, just block the whole IP range in your firewall.

Another big problem occurs when someone on the outside manages to authenticate him or herself as a user (or other object) on your domain because of a weak password. Once that occurs, they may have a direct-trusted path to your data, and can sit there all day hammering away at our password.

Hope this helps!

"I would rather have a free bottle in front of me, than a pre-frontal lobotomy..."

-Shrubble
 
Upvote 0 Downvote
Thanks shrubble. I'll direct myself to check out the areas that you did and work on them.

agrappe, at first glace it would appear that Snort primarily works with MySql. Since I'm running Sql Server, I'm thinking this would be a problem. I'm I wrong?

-Ovatvvon :-Q
 
Upvote 0 Downvote
Snort is network intrusion detection software and should be run from a machine that isn't being attacked. I installed it on an old PC running RedHat Linux. It sniffs the wire for signatures it recognizes as intrusion attempts. It's a nice piece of software that is very customizable.

To answer your question; yes, both on the same system might be a problem.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
646
fightaccording
fightaccording
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
591
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
698
microsGuy16
microsGuy16
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
368
hairlessupportmonkey
hairlessupportmonkey
DrB0b
  • Locked
  • Question
HyperV trying to do extended replica to external HDD
Replies
0
Views
241
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top