How to Filter & Cross-Reference ISA logs for OWA Account Lockouts

Posted: 14th April 2011 by Josh in Uncategorized
Tags: , ,
0

Recently I was alerted that a client had a user’s Active Directory account that was being locked out continually, even within 60 seconds of the account being unlocked. Looking at the Domain Controller logs, we were able to trace where the authentication attempt was being made from–One of the ISA servers, which means that someone was trying to login to OWA with this user’s credentials, and was continually locking the account, as the password wasn’t correct.

You would have thought this would have been a simple look-it-up-in-the-logs, but looking at the ISA logs was very frustrating, as I could never find the right variable to filter on to find out where the attempts were coming from.

Well, I eventually figured out how to do it, so I wrote up a quick procedure, for posterity:

From beginning to end:

1) Find which Domain Controller is being used to authenticate the credentials (look for event 539 or 4625), and look at the logs to see which ISA server the authentication attempts are coming from.

2) Filter the target ISA logs on the following parameter:

HTTP Status Code = 1909

This is the HTTP status code that is generated when an account cannot be logged on because it is locked out. (Attempting to logon to OWA for this specific case)

3) Cross-reference the time stamps on the previous ISA lockout logs to the DC’s logs to make sure you have the right lockout logs

4) After verifying, look at the ISA lockout logs for the source IP from where the authentication attempts are coming from.

5) Nuke IP from Orbit.

-Josh

Joomla! is becoming a liability… Or not.

Posted: 11th April 2011 by Josh in Uncategorized
Tags: ,
0

I host a number of Joomla! websites. Most of them are 1.5, though I still have a client that is on the 1.0.x branch. (Tell me about it!) None of the extensions are up to date.

I also host a number of WordPress blogs. All of them, as well as the installed plugins, are all up to date to the most recent release.

Over the last couple years of keeping Joomla! & WordPress installs updated, I have gotten to the point where I was about to stop hosting Joomla! installs, as I still have to manually upload & update both the core files & the extensions. WordPress has had this feature since December 2008! (Since version 2.7)

With the ever-increasing mass hacks made possible by vulnerable, out of date Joomla! plugins + absent ability to easily keep those plugins updated, I was about to toss in the towel for Joomla!, and declare it too much of a risk to run on my server, when I noticed that the recently released Joomla! 1.6 finally adds this much needed feature of automagically finding core & plugin updates & installing them–The catch of course is that the plugin developers have to setup their plugin to allow this.

So yes, there is hope for all you Joomla! fans out there, though the fact that it took them so long to add this feature is quite disconcerting to say the least…

-Josh

HBGary, Juicy Fruit, & 0-Day

Posted: 1st March 2011 by Josh in Uncategorized
Tags: , ,
1

If you have not been following the HBGary & Anonymous story, Ars Technica has a couple great writeups on it.

In the aftermath of this whole saga, Anonymous has made public ~72,000 emails from top HBGary leaders (Founder, CEO, etc), including Greg Hoglund, of rootkit.com & “Rootkits: Subverting the Windows Kernel” fame.

Using the emails as a source, Ars Technica did a great review of some of the more interesting emails, including a couple discussing “Juicy Fruit.”  From Ars Technica:

“HBGary kept a stockpile of 0-day exploits. A slide from one of the company’s internal presentations showed that the company had 0-day exploits for which no patch yet existed—but these 0-day exploits had not yet even been published. No one knew about them.

The company had exploits “on the shelf” for Windows 2000, Flash, Java, and more….

One of the unpublished Windows 2000 exploits, for instance, can deliver a “payload” of any size onto the target machine using a heap exploit. “The payload has virtually no restrictions” on what it can do, a document notes, because the exploit secures SYSTEM level access to the operating system, “the highest user-mode operating system defined level” available.”

Though this is all interesting, the pertinent detail I wanted to point out can be found in one of the emails, found here.  As you can see, one of the 0-days is ESX & ESXi.  The email is dated Dec 6, 2009, so just over a year ago.

Though we do not know what kind of access would have been able to gained, (“Even with unique access to the innermost workings of a security firm, much remains opaque; the real conversations took place face-to-face or on secure phone lines, not through e-mail, so the glimpses we have here are fragmentary at best. This care taken to avoid sending sensitive information via unencrypted e-mail stands in stark contrast with the careless approach to security that enabled the hacks in the first place.”), we can see from other emails that we are not talking about some kind of script kiddie-level exploit.

The salient point that I want to hammer home is thus:  HBGary is a small private sector security company that did some contracting work for the industrial defense space–If HBGary has access to these types of 0-days, it is not hard to imagine what state-sponsored attackers might have access to–Both homeland and overseas.

Are we ready?

 

-Josh


 



Older Entries
Newer Entries