re: Brute-force and IIS/w2k logs

From: Harlan Carvey <keydet89(at)yahoo.com>
Date: Thu Apr 03 2003 - 09:01:26 EST

> I've just reviewed a short range of security logs on
a
> W2k/IIS box and there is an over abundance of
repeated
> invalid login attempts. The attempts seem to focus
on
> weak user ids (ie; admin, administrator, root, sql,
"anonymous"
> login/logouts.

Depending on your architecture, it sounds as if this W2K box isn't behind any sort of firewall...or if it is, ports 139/445 may be let through. Either way, both are Very Bad Things(tm).

If you're looking at the Security EventLog, then the IIS server is pretty irrelevant, unless you're using some sort of OWA or the IIS server is processing some kind of authentication.

> My two questions are.. is the "anonymous" login
source
> of the attacks beyond the scant information provided
in
> the Security log (machine name, time/date). Is
there a
> way to capture the IP address of the source?

1. Again, depending on how the infrastructure is set up, these anonymous logins could be normal traffic, or they could be attempts at null session connects. Without more detailed information, a definitive answer isn't possible.
2. Install snort. It's free, and you can set up rules to capture just stuff to the particular ports on the box. The W2K EventLog doesn't capture IP addresses by itself...but snort will go a long way toward helping you with this.

HTH, Harlan

---

Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com

---

SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics Received on Thu Apr 3 12:19:13 2003