RE: Virus is getting domain account listing

From: Jason Knight (jknight_at_thadsys.com)
Date: 05/10/04

  • Next message: Levinson, Karl: "RE: Virus is getting domain account listing" 
    Date: Mon, 10 May 2004 12:37:19 -0700
To: <focus-ms@securityfocus.com>

             True, you should always have "Audit for Failure" as part of your
    domain poicy at minimum. The Event Viewer logs on the PDC's was the way
    I was able narrow down which machines the Failed logon request was
    coming from. I found that the Virus definitions on those machines were
    a month old. After updating and running a scan everything was fine.
            Also, if I'm not mistaken, since you're running a NT 4.0 domain
    (as opposed to Win2k AD) an infected PC doesn't need to be joined to the
    domain in order to easily browse the network for shares and services.

    Jason
    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Monday, May 10, 2004 7:28 AM
    To: focus-ms@securityfocus.com
    Cc: David Carlin
    Subject: Re: Virus is getting domain account listing

    Dave,

    If there is some activity that's locking out accounts, I would suggest
    that you enable auditing on the PDCs for both failed and successful
    logon/logoff activity.
    You should be seeing the unsuccessful logon attempts in the Event
    Viewer...initially based on bad passwords (presumably), then based on
    the fact that the account is locked out. The Event Viewer entries will
    have the workstation from which the request came...you can then go to
    those systems and ask the owners to check for malware.

    On a side note, technically the activity you're describing would be more
    akin to a worm than a virus.
    Of course, it may be the result of a Trojan instead...but checking the
    timing on Event Viewer entries will narrow that down a bit.

    HTH,

    Harlan

    --- David Carlin <djc6@cwru.edu> wrote:
    > Hello,
    >
    > I work on a college campus and have been plagued for months by
    > something that is going through all of the accounts in my domains and
    > locking the accounts out by failed password attempts. I have two PDCs

    > for two different domains, running NT 4.0 and clients running XP
    > scattered around campus in various subnets. I have setup an ACL on my

    > cisco switch to block traffic to the PDCs except from these subnets,
    > but it doesn't help because there are machines in those subnets
    > administered by other people that continue to get "infected".
    >
    > My question is, how do I stop whatever this is from getting my account

    > listing in the first place? I have run Microsoft baseline analyzer,
    > it says I'm all good.. The free Nessus scanner doesn't report any
    > problems. I have all patches, RestrictAnonymous=1 is in the registry.
    >
    > I've renamed my admin account, this thing always picks up on it. It
    > knows which accounts are domain admins and attacks them more
    > aggressively. I've contacted the owners of the various machines
    > attacking, they never find any strange software, virus scanners always

    > come up empty - even when done remotely over the administrative
    > shares.
    >
    > Any ideas how to protect my user list?
    >
    > -David
    >
    >
    >
    ------------------------------------------------------------------------ 

    ---
>
------------------------------------------------------------------------
---
> 
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Levinson, Karl: "RE: Virus is getting domain account listing"

    Relevant Pages

    • Re: Unable to Share Folder
      ... It may look daunting, but if you follow the steps at the links and suggestions below systematically and calmly, you will have no difficulty in setting up your sharing. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ... You do not need to be logged into the same account on all machines and the passwords assigned to each user account can be different; the accounts/passwords just need to exist and match on all machines. ...
      (microsoft.public.windowsxp.general)
    • Re: New XP box will only boot in safe mode?
      ... Also, this is happening on two identical, new machines with the ... combination does boot in normal mode. ... You can access Event Viewer by selecting Start, Administrative Tools, ... done I had to install a couple of applications that some of the ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Folder Sharing Security
      ... I turned off simple file sharing. ... I created a user account on my machine and gave it a password. ... start by running the Network Setup Wizard on all machines (see ... With Windows Firewall, this means allowing File/Printer ...
      (microsoft.public.windowsxp.security_admin)
    • Re: New XP box will only boot in safe mode?
      ... What versions of eCopy are on the older machines that ... Also, this is happening on two identical, new machines with ... combination does boot in normal mode. ... You can access Event Viewer by selecting Start, ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Folder Sharing Security
      ... I turned off simple file sharing. ... I created a user account on my machine and gave it a password. ... start by running the Network Setup Wizard on all machines (see ... With Windows Firewall, this means allowing File/Printer ...
      (microsoft.public.windowsxp.security_admin)