RE: Trace of 139 attack?

From: H C (keydet89@yahoo.com)
Date: 07/26/01 

Message-ID: <20010725225003.46220.qmail@web14602.mail.yahoo.com>
Date: Wed, 25 Jul 2001 15:50:03 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: RE: Trace of 139 attack?
To: stephen.pinto@paladion.net, Patrik Birgersson <pbirgersson@telia.com>

> 1) administrator account cannot be locked

Sure it can.

> 2) Enable Auditing in your policies

Enabling auditing is as important as what you enable.
Depending upon the size of your organization, I would
suggest both successful and failed logon attempts.
Also, modify the User Modals appropriately, and
increase the size of the log files so that information
isn't easily overwritten. You don't want to just
blindly turn auditing on...you want to have meaningful
data in the logs, as well.

> 3) Use some software(scheduler) to export your logs
> to some other machine or
> tape after a particular period of time.so that even
> if the hacker plans of
> deleting the logs he cannot do it.

An inexpensive option is something like NTSyslog, with
a central Syslog daemon. That way, if the attacker
tries to delete log files, at least the fact that they
logged into the system (if the appropriate logging is
enabled) will be recorded someplace else. Another
inexpensive option is to create a service in Perl to
do the same thing (I recently released a script on
another list that uses the Win32 API to wait for
events to be generated to the EventLog, in
real-time...and consumes very little CPU time).

> Usually if a attacker is doing a brute force on
> ur Server ur logs will
> get full. best solution is to use an IDS (snort
> which is free)

Snort's a great idea if you want information such as
IP addresses. The appropriate rules exist for what
the op wants to do.

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Relevant Pages

  • Re: Computer Forensics - Shutdown or Switch-Off
    ... and logs etc) or run an orderly shutdown potentially allowing the ... attacker to cover their tracks. ... disk in the firesafe and forget all about it;-) ... over evidence in case we need to find out what damage was done or maybe ...
    (comp.security.misc)
  • Testing vulnerable web application : various replies
    ... Daniel Clemens asked - Do you have webserver logs that can be viewed around this incident ... Richard Braganza said - I suspect you have been cross site scripted IOW the attacker has left a trojan in one of the forum posts. ... We know he can delete accounts and threads, whether or not he can dump the password hashes and gain mod/admin access or if he can create accounts with admin privileges is currently unknown. ... Steven said - You may want to consider completely wiping your VBulletin install and starting fresh with patches and all. ...
    (Pen-Test)
  • Re: Computer Forensics - Shutdown or Switch-Off
    ... -> IDS or firewall logs indicating a system has been compromised ... hand in most cases an attacker won't have done this and we can ensure ... that any disk writes are completed and the filesystem integrity is ... over evidence in case we need to find out what damage was done or maybe ...
    (comp.security.misc)
  • [NEWS] Fingerprinting Port 80 Attacks: A Look into Web Server, and Web Application Attack Signatures
    ... Subject: Fingerprinting Port 80 Attacks: A Look into Web Server, ... most of the known and unknown holes an attacker may use against you. ... it is something you may want to look for in your logs. ...
    (Securiteam)
  • Cgisecurity.com Paper #3: Fingerprinting Port 80 Attacks: A look into web server, and web applicatio
    ... Common Fingerprints ... These holes can allow an attacker to gain either administrative access to the website, ... or even the web server itself. ... and what to look for in your logs. ...
    (Vuln-Dev)