logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: NtLmSsp attack ?
Author
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Sun 06 Jun '21 18:07    Post subject: NtLmSsp attack ? Reply with quote

Hello, I regularly receive attacks, obviously through Apache, of this type:
Quote:
Échec d’ouverture de session d’un compte.

Sujet :
ID de sécurité : NULL SID
Nom du compte : -
Domaine du compte : -
ID d’ouverture de session : 0x0

Type d’ouverture de session : 3

Compte pour lequel l’ouverture de session a échoué :
ID de sécurité : NULL SID
Nom du compte : administrator
Domaine du compte :

Informations sur l’échec :
Raison de l’échec : Nom d’utilisateur inconnu ou mot de passe incorrect.
État : 0xC000006D
Sous-état : 0xC0000064

Informations sur le processus :
ID du processus de l’appelant : 0x0
Nom du processus de l’appelant : -

Informations sur le réseau :
Nom de la station de travail : -
Adresse du réseau source : 23.253.164.50
Port source : 0

Informations détaillées sur l’authentification :
Processus d’ouverture de session : NtLmSsp
Package d’authentification : NTLM
Services en transit : -
Nom du package (NTLM uniquement) : -
Longueur de clé : 0

Cet événement est généré lorsqu’une demande d’ouverture de session échoue. Il est généré sur l’ordinateur sur lequel l’accès a été tenté.

Le champ Objet indique le compte sur le système local qui a demandé l’ouverture de session. Il s’agit le plus souvent d’un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.

Le champ Type d’ouverture de session indique le type d’ouverture de session qui a été demandé. Les types les plus courants sont 2 (interactif) et 3 (réseau).

Les champs relatifs aux informations sur le processus indiquent quel est le compte et le processus sur le système qui ont demandé l’ouverture de session.

Les champs relatifs aux informations sur le réseau indiquent la provenance de la demande d’ouverture de session distante. Le nom de la station de travail n’étant pas toujours disponible, peut rester vide dans certains cas.

Les champs relatifs aux informations d’authentification fournissent des détails sur cette demande d’ouverture de session spécifique.
- Les services en transit indiquent les services intermédiaires qui ont participé à cette demande d’ouverture de session.
- Le nom du package indique quel a été le sous-protocole qui a été utilisé parmi les protocoles NTLM.
- La longueur de la clé indique la longueur de la clé de session générée. Elle a la valeur 0 si aucune clé de session n’a été demandée.


They fail, but I wonder how they can happen?
Do you have an idea? Could you give me some advice so that I can avoid this kind of problem in the future?

Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Mon 07 Jun '21 22:31    Post subject: Reply with quote

In that error message is nothing from apache as far as I can see rather than a login try on the windows system itself.

if you are sure, that is is apache mod security can help.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Mon 07 Jun '21 22:38    Post subject: Reply with quote

@bagu - You say these event log entries are obviously through Apache, but don't provide any details of your Apache configuration, or the content/application being served through Apache. The only clue in the failed login detail you've posted is the client IP address 23.253.164.50, which appears to be located in the US.

If external users are connecting to Apache on your server, then I'd guess there's some content being served, either from a network share or local resource, that's protected. Without appropriate NTLM credentials, access is denied, and an event log entry is duly created.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Tue 08 Jun '21 21:15    Post subject: Reply with quote

Hello,

It is true that I was not very exhaustive in the details.
In fact, when I shut down apache, I don't receive these messages anymore.
That's what told me that Apache was concerned.
However, my server only shares local resources.

I think I have a problem somewhere, because I have, for example, access attempts on https://localhost even though this should not be possible.
So I'm trying to find out how there can be access attempts outside the directories containing my public sites.

I'm going to look at the module recommended by James Blond, but at the same time I'm still trying to find out if there is a defect in the configuration of my virtualhosts.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Tue 08 Jun '21 21:17    Post subject: Reply with quote

Hello,

It is true that I was not very exhaustive in the details.
In fact, when I shut down apache, I don't receive these messages anymore.
That's what told me that Apache was concerned.
However, my server only shares local resources.

I think I have a problem somewhere, because I have, for example, access attempts on https://localhost even though this should not be possible.
So I'm trying to find out how there can be access attempts outside the directories containing my public sites.

I'm going to look at the module recommended by James Blond, but at the same time I'm still trying to find out if there is a defect in the configuration of my virtualhosts.

Translated with www.DeepL.com/Translator (free version)
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Tue 08 Jun '21 21:40    Post subject: Reply with quote

Can you not tie up the time of one of these event log error entries, to an access request in the Apache logs?

That would then show you the resource being requested via Apache.

Depending on what account you're running Apache under, could there be some local resource ACL restrictions that someone's applied?
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Wed 09 Jun '21 10:42    Post subject: Reply with quote

Quote:
could there be some local resource ACL restrictions that someone's applied?


Not possible and already double check

Quote:
Can you not tie up the time of one of these event log error entries, to an access request in the Apache logs?


Yes, good idea. I don't know why I didn't do this sooner. Embarassed (That should have been the first thing I did) Thanks. Wink
Back to top


Reply to topic   Topic: NtLmSsp attack ? View previous topic :: View next topic
Post new topic   Forum Index -> Apache