Virus is getting domain account listing

• Previous message: Joshua Feek: "Re: Relative Security Provided by Cached Domain Credentials?"
• Next in thread: shimi: "Re: Virus is getting domain account listing"
• Reply: shimi: "Re: Virus is getting domain account listing"
• Reply: Harlan Carvey: "Re: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Reply: Samuel Petreski: "RE: Virus is getting domain account listing"
• Reply: David Carlin: "Re: Virus is getting domain account listing"
• Maybe reply: Ronda Allen: "Re: Virus is getting domain account listing"
• Maybe reply: Harlan Carvey: "RE: Virus is getting domain account listing"
• Maybe reply: travis.alexander_at_lacamas.org: "RE: Virus is getting domain account listing"
• Maybe reply: Jason Knight: "RE: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Reply: JGrimshaw_at_ASAP.com: "Re: Virus is getting domain account listing"
• Maybe reply: Michael Milting: "RE: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ms@securityfocus.com
Date: Mon, 10 May 2004 09:10:54 -0400

Hello,

I work on a college campus and have been plagued for months by
something that is going through all of the accounts in my domains and
locking the accounts out by failed password attempts. I have two PDCs
for two different domains, running NT 4.0 and clients running XP
scattered around campus in various subnets. I have setup an ACL on my
cisco switch to block traffic to the PDCs except from these subnets,
but it doesn't help because there are machines in those subnets
administered by other people that continue to get "infected".

My question is, how do I stop whatever this is from getting my account
listing in the first place? I have run Microsoft baseline analyzer, it
says I'm all good.. The free Nessus scanner doesn't report any
problems. I have all patches, RestrictAnonymous=1 is in the registry.

I've renamed my admin account, this thing always picks up on it. It
knows which accounts are domain admins and attacks them more
aggressively. I've contacted the owners of the various machines
attacking, they never find any strange software, virus scanners always
come up empty - even when done remotely over the administrative shares.

Any ideas how to protect my user list?

        -David

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Joshua Feek: "Re: Relative Security Provided by Cached Domain Credentials?"
• Next in thread: shimi: "Re: Virus is getting domain account listing"
• Reply: shimi: "Re: Virus is getting domain account listing"
• Reply: Harlan Carvey: "Re: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Reply: Samuel Petreski: "RE: Virus is getting domain account listing"
• Reply: David Carlin: "Re: Virus is getting domain account listing"
• Maybe reply: Ronda Allen: "Re: Virus is getting domain account listing"
• Maybe reply: Harlan Carvey: "RE: Virus is getting domain account listing"
• Maybe reply: travis.alexander_at_lacamas.org: "RE: Virus is getting domain account listing"
• Maybe reply: Jason Knight: "RE: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Reply: JGrimshaw_at_ASAP.com: "Re: Virus is getting domain account listing"
• Maybe reply: Michael Milting: "RE: Virus is getting domain account listing"
• Maybe reply: Levinson, Karl: "RE: Virus is getting domain account listing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]