Trace of 139 attack?
From: Eagle (the_eagle@flashmail.com)Date: 07/24/01
- Previous message: Pidgorny, Slav: "RE: Hacked NT/2K box"
- Next in thread: Patrik Birgersson: "SV: Trace of 139 attack?"
- Reply: Patrik Birgersson: "SV: Trace of 139 attack?"
- Reply: Windex King: "Re: Trace of 139 attack?"
- Reply: Rob Kirk: "RE: Trace of 139 attack?"
- Reply: S S: "Re: Trace of 139 attack?"
- Reply: Todd Schubert: "RE: Trace of 139 attack?"
- Reply: owentoby@WellsFargo.COM: "FW: Trace of 139 attack?"
- Reply: Stephen Pinto: "FW: Trace of 139 attack?"
- Reply: H C: "RE: Trace of 139 attack?"
- Reply: khayman: "Re: FW: Trace of 139 attack?"
- Reply: May, Jason S: "RE: Trace of 139 attack?"
- Reply: Nick Ferguson: "RE: Trace of 139 attack?"
- Reply: Thor@HammerofGod.com: "Re: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <001f01c113fc$f7b5fcf0$5903c5cb@vsnl.net.in> From: "Eagle" <the_eagle@flashmail.com> To: <focus-ms@securityfocus.com> Subject: Trace of 139 attack? Date: Tue, 24 Jul 2001 10:26:12 +0530
Hi Everyone,
Scenario:
A web server IIS 4.0 or 5.0 running on NT 4.0 or W2K.
Port 139 open and for all to see, shares in place.
All other configurations almost default.
Attacker guesses username/password of a Joe account in the Admin group.
Uses this to gain full access to the machine.
Among all the things he could possibly do, (install trojans, keyloggers,
etc), he defaces the sites, accesses sensitive
files, copies files to the system32 folder for
remote console etc.
Is there any way through reading logs etc, it might be possible to trace his
IP back? If yes, then which logs, and what entries in those logs would show
up his IP?
Remember, this has not occurred through a buffer overflow exploit, but
simply by guessing username/password.
Also prior to getting the right password, he must have gone through a number
of failed attempts. Do the logs of these give an idea of his IP?
If in the future to catch such an attack there are any config changes to be
made, then what would those be?
I'm new to this, so excuse any oversights, if this question has been asked
before. Just point me to the right resources.
Thanks
KM
- Previous message: Pidgorny, Slav: "RE: Hacked NT/2K box"
- Next in thread: Patrik Birgersson: "SV: Trace of 139 attack?"
- Reply: Patrik Birgersson: "SV: Trace of 139 attack?"
- Reply: Windex King: "Re: Trace of 139 attack?"
- Reply: Rob Kirk: "RE: Trace of 139 attack?"
- Reply: S S: "Re: Trace of 139 attack?"
- Reply: Todd Schubert: "RE: Trace of 139 attack?"
- Reply: owentoby@WellsFargo.COM: "FW: Trace of 139 attack?"
- Reply: Stephen Pinto: "FW: Trace of 139 attack?"
- Reply: H C: "RE: Trace of 139 attack?"
- Reply: khayman: "Re: FW: Trace of 139 attack?"
- Reply: May, Jason S: "RE: Trace of 139 attack?"
- Reply: Nick Ferguson: "RE: Trace of 139 attack?"
- Reply: Thor@HammerofGod.com: "Re: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
