How to find out what / what is trying to authorize?

D

Dmitry Filandor2018-04-10 16:05:18

System administration

Dmitry Filandor, 2018-04-10 16:05:18

Hello! Win server 2012, used as IIS webserver, raised by FTP, MS SQl DBMS. Today I noticed in the Windows (security) log the following entries:

Учетной записи не удалось выполнить вход в систему.

Субъект:
  ИД безопасности:		NULL SID
  Имя учетной записи:		-
  Домен учетной записи:		-
  Код входа:		0x0

Тип входа:			3

Учетная запись, которой не удалось выполнить вход:
  ИД безопасности:		NULL SID
  Имя учетной записи:		USER2
  Домен учетной записи:		

Сведения об ошибке:
  Причина ошибки:		Неизвестное имя пользователя или неверный пароль.
  Состояние:			0xC000006D
  Подсостояние:		0xC0000064

Сведения о процессе:
  Идентификатор процесса вызывающей стороны:	0x0
  Имя процесса вызывающей стороны:	-

Сведения о сети:
  Имя рабочей станции:	-
  Сетевой адрес источника:	-
  Порт источника:		-

Сведения о проверке подлинности:
  Процесс входа:		NtLmSsp 
  Пакет проверки подлинности:	NTLM
  Промежуточные службы:	-
  Имя пакета (только NTLM):	-
  Длина ключа:		0

and these events are pouring in every few seconds, only changing: Account name: USER2, sklad, Admin and others...
What is it? It looks like a brute ... And it started 3 days ago.
UP------SOLUTION
Thank you all. Brutili RDP, in the regular firewall in the rules regarding rdp and ftp in the tab "area" indicated your IP.
After that, everything stopped.
I also installed this one-of-a-kind free program:
Windows-IP-Ban-Service https://github.com/jjxtra/Windows-IP-Ban-Service
IPBan Monitors failed security audit in Windows Event Viewer and bans ip addresses using netsh. Wide range of customization and unlimited ip address ban count
Features include:
– Unlimited number of ip addresses to ban
– Duration to ban ip address
– Number of failed login attempts before ban
– Whitelist of comma separated ip addresses or regex to never ban
– Blacklist of comma separated ip addresses or regex to always ban
– Custom prefix to windows firewall rules
– Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
– Refreshes config so no need to restart the service when you change something
– Highly configurable, ban anything that comes through Windows Event Viewer
– A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
– Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Maxim Grishin, 2018-04-10
@LifeAct

This is a brute, most likely on RDP - check if it is open on the Internet. And from where - I advise you to monitor connections with wireshark for some time, at the same time it will become clearer where they are breaking.