RE: Virus is getting domain account listing
travis.alexander_at_lacamas.org
Date: 05/10/04
- Previous message: Harlan Carvey: "RE: Virus is getting domain account listing"
- Maybe in reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Jason Knight: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: djc6@cwru.edu, focus-ms@securityfocus.com Date: Mon, 10 May 2004 14:29:58 -0700
In my environment, I have also been experiencing the same thing.
I'm also not sure what is causing the lock outs. I tend to think
that with the latest string of patches from MS (11-14), are the
culprits. Since the main patch problem is with #11 causing a wide
range of side affects, it might have something to do with that.
Since I can't prove it in my limited time and resources
available, I'll never know. If you or anyone ever finds out what
the heck is going on, please let us know. Thanks.
Travis.
-----Original Message-----
From: David Carlin [mailto:djc6@cwru.edu]
Sent: Monday, May 10, 2004 10:27 AM
To: focus-ms@securityfocus.com
Subject: Re: Virus is getting domain account listing
Wow, lots of replies! Instead of replying individually, I'm
going to
provide additional info to the list:
- There are no successful logins within hours of the attacks. On
weekends/middle of the night, hours since the last successful
login
attempt, a string of failing login attempts will appear in the
security
event log.
- I have forced *all* users to change passwords, twice now. I
have
given them tips about non-words, random symbols, numbers - they
all
insist they have chosen such passwords.
- For virus scanning we use Symantec AntiVirus Corporate Edition
8.1
- Firewalling is difficult. Each building has its own subnet,
and I
have users in several subnets. Their IPs are all dynamic, so
I've
restricted connections to the server based on subnet. So, I'll
give
access to a building - say 100 people - but only 5-10 of them may
be
computers I manage and have control over. The other 90 can get
infected with something, attack my DC, not much I can do about it
but
try and track down the owner and mention it to him/her.
- I do have plenty of logs showing what computers are doing this.
They're virtually all professor's office computers, most in
departments
without system administrators. I've gone an looked at their
machines,
but virus scanning turns up nothing, nothing strange in event
logs at
time of the attack... running tcpview or the like doesn't show
open IRC
channel connections or anything where they might be controlled
from.
None of the processes running aren't supposed to be there. It's
tough
to know what the history of the machine is not having set it up.
-----------------------------------------------------------------
----------
-----------------------------------------------------------------
----------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Harlan Carvey: "RE: Virus is getting domain account listing"
- Maybe in reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Jason Knight: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
