Mysterious Username Bruteforcing/Injection

[lordofthesquids]

Hello all,

I administrate the computer network at a local highschool. We have a wireless network that users log on to with their windows accounts--it is encrypted with WPA2-Enterprise and authenticates users with Active Directory. This is all managed by a brand new server running Windows Server 2008 R2. Recently, we appear to have experienced an attack of some sort, and what it left in the logs does not make any sense to me. The usernames of attempted logins are recorded, and some very unusual things were tried. First of all, the attack seemed to target the account of another administrator, whose username is "jsmith" (changed to protect privacy). The following attempts were logged:

w3gkjs
w3gkjsmi
w3gkjsmit
w3gkjsmith
3gkjsmith
gkjsmith
kjsmith
jsmith <--when it got here, it successfully authenticated.

Furthermore, more logins were attempted with the following "usernames":

random
generate_random
timestamp+router / access / alter / =>= + 03:00:00
<windowsvista> /delete/ path / type / records / delete

Those look like attempts at command injection to me, but I've never heard of any sort of injection vulnerabilities with wireless authentication.

Has anybody heard of an attack that would make these usernames make sense? Could passwords somehow be determined by trying mutations of a username? If you have any ideas about a pattern that could connect these logins, please let me know.

Thank you very much!

[Archangel-Amael]

Yes passwords can sometimes be construed from a user name. As an example I have a username of JSmith , and since I am human and forgetful and the admin said to make my password complex using numbers and special characters, I chose JSmith123! < That is a common occurrence.
For more on this look at:
Passwords - Skull Security < loads of lists with bad choices.
What’s My Pass? » The Top 500 Worst Passwords of All Time < The top 500

As for your situation, it appears as if someone is trying to bruteforce their way (or may have already done so) into your network.
My advice if you don't know what you are doing, in regards to penetration testing and digital forensics, it would be best to find a consultant in your area to help you out.
You would probably want to take your network down in order to isolate the issue, fix, patch, update and or remove it.
Having said that though there are many variables that come into play, such as what did happen, (an actual breech or only attempted ones, full network compromise) Costs both perceived and real, in terms of account info, productivity time lost etc.
Also understand that if you are wanting to do some sort of investigation for potential criminal proceedings, then you or anyone else (that are not qualified forensics experts) messing around on the network at this point could invalidate any evidence in a court of law.
I could go on, but some of our other experts will likely chime in to offer more information.

[g3ksan]

It sounds like one of the kids at your school discovered some tools on the internet and wanted to impress their friends. It looks like they tried to use a tool and did not configure it properly, which explains why you see that weird username combination.

Archangel-Amael covered most of it (that's why he's a supermod). If you haven't already done it, change that password.

From an investigative/law enforcement point of view, you need to make sure you keep logs intact. Don't mess around too much, like Archangel-Amael said, you or your employees messing around with things too much can destroy the integrity of evidence. The more people that touch it, the more likely it is in a court of law that the validity of the evidence will be called into question. If you just want to find out who did it, you can either hire a consultant if you feel it's over your head, or just do it yourselves. If you want to pursue criminal charges against the individual, you are going to have to get in touch with your local law enforcement, if they don't have a computer crimes division, they can escalate as needed to either California Department of Law Enforcement or the FBI.

Can't think of much else at the moment because work distracted me, but if I think of anything I'll pipe up.

[lordofthesquids]

Thanks for your input, guys. Fortunately, I'm not going to have to pursue criminal charges or anything--I know who did it and we have talked. I have some background in infosec circles, so I think I can handle the situation competently, I just wanted to see if anyone could tell which tool they (tried to) use. I know for a fact that the perpetrator is most definitely in the script kiddie category.