RE: Trace of 139 attack?

From: May, Jason S (
Date: 07/26/01

Message-ID: <F8E4AF509F39D411BD4100508BDF077607372A10@USCHM202>
From: "May, Jason S" <>
To: nobody <>, "'Todd Schubert'" <>
Subject: RE: Trace of 139 attack?
Date: Thu, 26 Jul 2001 13:10:08 -0400

The adminlockout tool can be used so that the administrator account can be
locked out remotely.

-----Original Message-----
From: nobody []
Sent: Thursday, July 26, 2001 9:46 AM
To: 'Todd Schubert'
Subject: RE: Trace of 139 attack?

Actually, the default administrator account can not be locked out. This
is why it's such a vulnerability. On all the machines I administer I
rename the default administrator account and create a dummy one. While
an experienced (c/h)acker will see that they have been hammering a dummy
account after some time and is consequently locked out. This works as
notification and gives me and my shop some extra time to react.

Brian R. Ogram
+ "The best defense is a good offense"
+ - Mel the cook on "Alice"

-----Original Message-----
From: Todd Schubert []
Sent: Wednesday, July 25, 2001 5:17 PM
To: ''; Patrik Birgersson
Subject: RE: Trace of 139 attack?

This is not true. The Administrator account can be locked out if too
many incorrect passwords are entered for it.

Todd Schubert
Information Technology Specialist
Jory Capital Inc.
phone: 204.925.5215
fax: 204.942.0047

-----Original Message-----
From: Stephen Pinto []
Sent: Monday, July 23, 2001 5:07 PM
To: Patrik Birgersson
Subject: RE: Trace of 139 attack?

To add to Patrick
1) administrator account cannot be locked
2) Enable Auditing in your policies
3) Use some software(scheduler) to export your logs to some other
machine or tape after a particular period of that even if the
hacker plans of deleting the logs he cannot do it. Best practice is to
use a Dot Matrix printer to print the logs which is a bit expensive.
    Usually if a attacker is doing a brute force on ur Server ur logs
will get full. best solution is to use an IDS (snort which is free) Try
Firewall like checkpoint which has some authentication mechanism. Better
go to you will get lots of info.

Stephen Pinto
Security Consultant
Paladion Networks,
E-217, Tower-3, International InfoTech Park,
Vashi, Navi Mumbai,400703
Ph: +91 22 7812446 / 7812450/ 7892890
FAX: +91 22 7812140

-----Original Message-----
From: Patrik Birgersson []
Sent: Wednesday, July 25, 2001 12:34 AM
To: Eagle;
Subject: SV: Trace of 139 attack?

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x7725DCE4
*** Signed: 7/24/2001 3:03:44 PM
*** Verified: 7/26/2001 1:09:12 PM

You would like to use the Event Log.
There's an HOWTO at:
(URL might be wrapped).

If this box of yours is a web server to the world, you should _not_ use
it as file server with NetBIOS shares 'n stuff. Use another box on a
private network for that If your shares must be accessed from outside
your office (like from another office or employees on the road) you
should use some VPN solution that tunnels your NetBIOS traffic. NetBIOS
is inheritly insecure and shall _not_ be allowed from untrusted networks
(you know - like the Internet).

If the server you're talking about is an Intranet server, then you might
have a harder time disabling NetBIOS, especially if you got
*old* clients (like Win95/98/ME/NTW) that doesn't utilize Kerberos for

However, regardless of the server is "inside" or "outside" and wether
you restricted NetBIOS or net, your Security Log would fill up quickly
if someone's bruteforcing an account. You should configure your machine
so that it'll shut down if the security log fills up (this can be
"dangerous" - you must of course maintain your logs carefully, otherwise
your computer will shutdown "out of the blue" on day). You should also
apply timed account lockouts if more than 5 (3 attempts with manual
unlock if you're strict) failed login attempts has been made.

Patrik Birgersson

# Security is not a product - it is a process #


This e-mail and any attachments may contain confidential, privileged or
proprietary information. If you are not the intended recipient, please
notify the sender immediately by return e-mail, delete this e-mail (with
attachments) and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.