Re: Virus is getting domain account listing
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 05/10/04
- Previous message: shimi: "Re: Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Levinson, Karl: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 May 2004 07:28:20 -0700 (PDT) To: focus-ms@securityfocus.com
Dave,
If there is some activity that's locking out accounts,
I would suggest that you enable auditing on the PDCs
for both failed and successful logon/logoff activity.
You should be seeing the unsuccessful logon attempts
in the Event Viewer...initially based on bad passwords
(presumably), then based on the fact that the account
is locked out. The Event Viewer entries will have the
workstation from which the request came...you can then
go to those systems and ask the owners to check for
malware.
On a side note, technically the activity you're
describing would be more akin to a worm than a virus.
Of course, it may be the result of a Trojan
instead...but checking the timing on Event Viewer
entries will narrow that down a bit.
HTH,
Harlan
--- David Carlin <djc6@cwru.edu> wrote:
> Hello,
>
> I work on a college campus and have been plagued for
> months by
> something that is going through all of the accounts
> in my domains and
> locking the accounts out by failed password
> attempts. I have two PDCs
> for two different domains, running NT 4.0 and
> clients running XP
> scattered around campus in various subnets. I have
> setup an ACL on my
> cisco switch to block traffic to the PDCs except
> from these subnets,
> but it doesn't help because there are machines in
> those subnets
> administered by other people that continue to get
> "infected".
>
> My question is, how do I stop whatever this is from
> getting my account
> listing in the first place? I have run Microsoft
> baseline analyzer, it
> says I'm all good.. The free Nessus scanner doesn't
> report any
> problems. I have all patches, RestrictAnonymous=1
> is in the registry.
>
> I've renamed my admin account, this thing always
> picks up on it. It
> knows which accounts are domain admins and attacks
> them more
> aggressively. I've contacted the owners of the
> various machines
> attacking, they never find any strange software,
> virus scanners always
> come up empty - even when done remotely over the
> administrative shares.
>
> Any ideas how to protect my user list?
>
> -David
>
>
>
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: shimi: "Re: Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Levinson, Karl: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
