Re: Virus is getting domain account listing
From: shimi (shimi_at_shimi.net)
Date: 05/10/04
- Previous message: David Carlin: "Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Harlan Carvey: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 May 2004 17:52:08 +0300 To: David Carlin <djc6@cwru.edu>
If this stuff is remote, nothing will help you in blocking the DCs from
the rest of the world; this is because they're not being attacked at all
(If you ask me).
I think that those machines try out NetBIOS logins to the computers,
which in turn, call-in to the domain and ask to authenticate the
user/pass pair.
Point is: configure the main gateway to filter ALL TRAFFIC to ALL
MICROSOFT SERVICES from the outside world. As for the begining, that
goes to ports 135 to 139, all the kerberos related ones, if you run
webservers, they must not be running NTLM authentication (because then
you can lock accounts through them) to the outside world, and if you run
an exchange server, well, that's another microsoft authentication
service - it must be blocked to access from the outside world.
That's in my opinion, anyways. :>
David Carlin wrote:
> Hello,
>
> I work on a college campus and have been plagued for months by
> something that is going through all of the accounts in my domains and
> locking the accounts out by failed password attempts. I have two PDCs
> for two different domains, running NT 4.0 and clients running XP
> scattered around campus in various subnets. I have setup an ACL on my
> cisco switch to block traffic to the PDCs except from these subnets,
> but it doesn't help because there are machines in those subnets
> administered by other people that continue to get "infected".
>
> My question is, how do I stop whatever this is from getting my account
> listing in the first place? I have run Microsoft baseline analyzer,
> it says I'm all good.. The free Nessus scanner doesn't report any
> problems. I have all patches, RestrictAnonymous=1 is in the registry.
>
> I've renamed my admin account, this thing always picks up on it. It
> knows which accounts are domain admins and attacks them more
> aggressively. I've contacted the owners of the various machines
> attacking, they never find any strange software, virus scanners always
> come up empty - even when done remotely over the administrative shares.
>
> Any ideas how to protect my user list?
>
> -David
>
>
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
>
>
>
>
--
When you run Windows versus *nix fights, never forget that:
1. "Sure UNIX is user-friendly! It's just picky about who its friends are!"
2. "The day that Microsoft make a product that doesn't suck,
is the day they start making vacuum cleaners.."
3. "Windows is a 32bit port for a 16bit GUI for an 8bit OS made for a
4bit CPU by a 2bit company that can't stand 1bit of competition!"
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: David Carlin: "Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Harlan Carvey: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
