Windows LiveWindows Live
 
 
andreas's profileandyPhotosBlogListsMore Tools Help

Blog
January 20

Additional Info how to detect a attack like Conficker to crack your user accounts

As i posted before an attack as conficker will generate a lot of events in the attacked machine security event log please take care to enable logging of failure events via policy.

 

An event will look like this

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date:  20.01.2009
Time:  18:35:00
User:  xxxxxxx
Computer: Server
Description:
Logon Failure:
  Reason:  Unknown user name or bad password
  User Name: administrator
  Domain:  kaanet
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: Conficker Wksta
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 192.168.100.19
  Source Port: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

You will get the attacker name and mayber the IP marked red above

Logon Type 3 – Network

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS

If you have Operations Manager 2007 you can use

Audit Collection Services (ACS)

More Infos here

http://technet.microsoft.com/en-us/library/bb381258.aspx

http://technet.microsoft.com/en-us/library/bb381373.aspx

If you want to limit events which are writen to the ACS DB you can use Adtadmin

  adtAdmin.exe /SetQuery

An ACS collector can use Windows Management Instrumentation (WMI) Query Language (WQL) queries as filters to limit the events that are stored in the ACS database. The /SetQuery parameter implements the filter before events are saved to the ACS database. For more information on WQL and WQL queries, see Querying with WQL at http://go.microsoft.com/fwlink/?LinkId=74151.

 

If you have nothing you can use free tools like

Logparser 2.2

http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx

or

Eventcomb

http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

to  query your  security eventlogs

 

9:29 PM | Add a comment | Read comments (3) | Permalink | Blog it
January 17

Detect Conficker Worm Attacker with Netmon 3.2

 You can detect an attacker IP with MS Netmon 3.2 from Microsoft Download Center.

http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en

You made a Filter like this SMB.NTStatus.Code == 0x6d

that locks all unsuccsessfull account logons to your server if you made port mirroring on your switch you can  get all of them like this


21:00:33 16.01.2009        2150      97.086512                           {NbtSS:153, TCP:151, IPv4:70}   Server            10.1.1.1           SMB                SMB:R; Session Setup Andx - NT Status: System - Error, Code = (109) STATUS_LOGON_FAILURE

In this Case 10.1.1.1 was the attackers IP. You will get a lot of this in one second on your server you can also see it in Security log with failed logon events. That means if you have a lot of these frames an attack to crack you accounts will go on. 

If the attacker has an account it seem than like this

21:11:57 16.01.2009        58886    781.056203                         {SMB:9476, NbtSS:9469, TCP:9468, IPv4:9467}   10.1.1.1                Server            SMB      SMB:C; Nt Create Andx, FileName = \System32\dcegzyjp.my
21:11:57 16.01.2009        58887    781.056281                         {SMB:9476, NbtSS:9469, TCP:9468, IPv4:9467}   Server                  10.1.1.1           SMB      SMB:R; Nt Create Andx - NT Status: System - Error, Code = (52) STATUS_OBJECT_NAME_NOT_FOUND
21:11:57 16.01.2009        58888    781.057324                         {SMB:9477, NbtSS:9469, TCP:9468, IPv4:9467}   10.1.1.1                Server          SMB      SMB:C; Nt Create Andx, FileName = \atsvc

So when you machine get infected  with an authenticated you can also to try to build a filter here to detect the attacker

Andy

Overview over Conficker Distribution you can find here

http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx

 

If You have comments please post it

11:46 AM | Add a comment | Permalink | Blog it | Computer und Internet
 

Photos
Orchideen 2009  
Photo 1 of 89

Network
This person's network is empty (or maybe they're keeping it private).

Profile

andreas kainz

Occupation
Angesteller
View profile details