Re: Virus is getting domain account listing
From: David Carlin (djc6_at_cwru.edu)
Date: 05/10/04
- Previous message: Samuel Petreski: "RE: Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Ronda Allen: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 May 2004 13:26:49 -0400 To: focus-ms@securityfocus.com
Wow, lots of replies! Instead of replying individually, I'm going to
provide additional info to the list:
- There are no successful logins within hours of the attacks. On
weekends/middle of the night, hours since the last successful login
attempt, a string of failing login attempts will appear in the security
event log.
- I have forced *all* users to change passwords, twice now. I have
given them tips about non-words, random symbols, numbers - they all
insist they have chosen such passwords.
- For virus scanning we use Symantec AntiVirus Corporate Edition 8.1
- Firewalling is difficult. Each building has its own subnet, and I
have users in several subnets. Their IPs are all dynamic, so I've
restricted connections to the server based on subnet. So, I'll give
access to a building - say 100 people - but only 5-10 of them may be
computers I manage and have control over. The other 90 can get
infected with something, attack my DC, not much I can do about it but
try and track down the owner and mention it to him/her.
- I do have plenty of logs showing what computers are doing this.
They're virtually all professor's office computers, most in departments
without system administrators. I've gone an looked at their machines,
but virus scanning turns up nothing, nothing strange in event logs at
time of the attack... running tcpview or the like doesn't show open IRC
channel connections or anything where they might be controlled from.
None of the processes running aren't supposed to be there. It's tough
to know what the history of the machine is not having set it up.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Samuel Petreski: "RE: Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Ronda Allen: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
