It is also a bit of a clue that there were 2200 attempts during that hour. ATTACKER2 shows the pattern consistent with an automated password-guessing attack, with attempts coming one a second for an hour. You can see that attacks came from two computers, ATTACKER1 and ATTACKER2.
Table 5.1 shows a sample of output from this SQL query. In this step we are trying to determine the attack vector, the time of the successful attempt, and the userid that successfully logged in (which should now be considered compromised). However, that is during the analysis step, which we will cover later in this chapter. This is despite the fact that we actively scan for bot C&C activity. Using this technique during the analysis phase, we have found over 200 infected computers that were part of one botnet. Here's the value of this analysis: The computers listed in the workstation field of the failed login records type 3 login, where the workstation field differs from the victim's computer name, are all infected computers. So, what's the point of analyzing this data? You are examining this computer because someone already said it was virus infected or because one of your intelligence sources spotted it talking to a known C&C server. If the attempts happen to take place during times that no one is supposed to be working in that department, you can be even more certain. If you see attempts using userids of Administrador, then administrateur as the login ID, you can be sure that this is password-guessing attack and that a bot (likely Phatbot, Rbot, or another related bot family) is attacking the victim's computer. They almost always try Administrator, so if you have renamed this account, its appearance in a failed login attempt raises the probability that this is an attack. You might not see this in every attack, but if the bot hasn't gathered any userids locally yet, or if the gathered userids haven't gotten in, the bot might try userids from the default list. Earlier in the book we listed the default userids they both can use. Both Phatbot and Rbot provide other clues that a password-guessing attack is real.
0 kommentar(er)
