On Mon, Sep 1, 2014 at 10:06 AM, Carlos Castillo <[email protected]> wrote: > > Regard, > > Hello, I'm Carlos and I am new to using OSSEC, however in my organization we > recently adopt OSSEC as HIDS, and we are pleased with the results. We start > the setup installing the agent in some of our servers (including our Echange > Server) and now we are receiving a lots of level 7 and 10 alerts as follow: > >> Rule: 18138 fired (level 7) -> "Logon Failure - Account locked out." >> Portion of the log(s): >> 2014 Aug 31 16:08:01 WinEvtLog: Security: AUDIT_FAILURE(4625): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> NHGC-MX-01.nhgc.local: An account failed to log on. Subject: Security ID: >> S-1-5-20 Account Name: NHGC-MX-01$ Account Domain: NHGC Logon ID: >> 0x3e4 Logon Type: 8 Account For Which Logon Failed: Security ID: >> S-1-0-0 Account Name: charlie Account Domain: Failure Information: >> Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 >> Process Information: Caller Process ID: 0xfcc Caller Process Name: >> C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe >> Network Information: Workstation Name: NHGC-MX-01 Source Network Address: >> - Source Port: - Detailed Authentication Information: Logon Process: >> Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >> Transited Services: - Package Name (NTLM only): - Key Length: 0 This >> event is generated when a logon request fails. It is generated on the >> computer where access was attempted. > > > The stranger on this notice is that the value of the Account name changes > randomly With a name that does not correspond to our users, Similarly, I find > it strange a Logon type 8 because it is an attempt to access with credentials > in plain text. > >> Received From: (nhgc-mx-01) 192.168.50.7->WinEvtLog >> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." >> Portion of the log(s): >> 2014 Aug 31 23:51:59 WinEvtLog: Security: AUDIT_FAILURE(4625): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> NHGC-MX-01.nhgc.local: An account failed to log on. Subject: Security ID: >> S-1-5-20 Account Name: NHGC-MX-01$ Account Domain: NHGC Logon ID: >> 0x3e4 Logon Type: 8 Account For Which Logon Failed: Security ID: >> S-1-0-0 Account Name: [email protected] Account Domain: Failure >> Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: >> 0xc0000064 Process Information: Caller Process ID: 0xfcc Caller Process >> Name: C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe >> Network Information: Workstation Name: NHGC-MX-01 Source Network Address: >> - Source Port: - Detailed Authentication Information: Logon Process: >> Advapi Authentication Package: Negotiate Transited Services: - Package >> Name (NTLM only): - Key Length: 0 This event is generated when a logon >> request fails. It is generated on the computer where access was attempted. > > > As said before, the accounts used in the logins aren't from our domain, and > the number of alerts of this type is significant (around about 60). We are > thinking in a virus or some kind of attack. >
Is it possible someone is brute forcing our logins? > > Regards, > > -- > Carlos J. Castillo > ---------------------------------------------------------------------------------- > Ingeniero de Soluciones de TI > +58 426 2542313 > @Dr4g0nKn1ght > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
