RE: Virus is getting domain account listing

From: Levinson, Karl (Karl.Levinson_at_dhs.gov)
Date: 05/10/04

  • Next message: Levinson, Karl: "RE: Virus is getting domain account listing" 
    To: 'David Carlin' <djc6@cwru.edu>, focus-ms@securityfocus.com
Date: Mon, 10 May 2004 15:47:59 -0400

    I thought I'd make sure the original poster knows that enabling Windows
    login auditing does NOT capture the IP address of the machine making the
    login attempts, just the computer name. If these machines were coming from
    the Internet or from a domain where you cannot resolve the computer name for
    some reason [such as you can't reach their WINS or name server server, they
    aren't set up to use a WINS server, etc. etc.], it may be impossible to
    track down the source machine from these events.

    To get the IP address from logged Windows login attempts, you'd probably
    need to use a firewall, router log, IDS such as Snort.org, or even a
    thoughtfully configured sniffer like Ethereal if necessary. If the logging
    device is not the same as the computer logging the messages, you'd need to
    make sure time is synchronized between the two devices, or use something
    like NTSYSLOG with a free syslog client like www.kiwisyslog.com to combine
    the Windows log and the IP address logs into one log.

    For information on how to enable auditing, see here:

    http://securityadmin.info/faq.asp#auditing

     

    > -----Original Message-----
    > From: Samuel Petreski [mailto:petreski@ksu.edu]
    > Sent: Monday, May 10, 2004 10:26 AM
    > To: 'David Carlin'; focus-ms@securityfocus.com
    > Subject: RE: Virus is getting domain account listing
    >
    >
    > I would enable audit logging events in the Domain Security
    > Policy and see which machines try to password guess your
    > accounts and when. You will have to go through some logs, but
    > it will be worth since you will see exactly who is logging
    > and when, and how many failed logins per attempt.
    >
    > Samuel Petreski CCNA, MCSA
    > petreski@ksu.edu
    >
    > -----Original Message-----
    > From: David Carlin [mailto:djc6@cwru.edu]
    > Sent: Monday, May 10, 2004 8:11 AM
    > To: focus-ms@securityfocus.com
    > Subject: Virus is getting domain account listing
    >
    > Hello,
    >
    > I work on a college campus and have been plagued for months by
    > something that is going through all of the accounts in my domains and
    > locking the accounts out by failed password attempts. I have
    > two PDCs
    > for two different domains, running NT 4.0 and clients running XP
    > scattered around campus in various subnets. I have setup an
    > ACL on my
    > cisco switch to block traffic to the PDCs except from these subnets,
    > but it doesn't help because there are machines in those subnets
    > administered by other people that continue to get "infected".
    >
    > My question is, how do I stop whatever this is from getting
    > my account
    > listing in the first place? I have run Microsoft baseline
    > analyzer, it
    > says I'm all good.. The free Nessus scanner doesn't report any
    > problems. I have all patches, RestrictAnonymous=1 is in the registry.
    >
    > I've renamed my admin account, this thing always picks up on it. It
    > knows which accounts are domain admins and attacks them more
    > aggressively. I've contacted the owners of the various machines
    > attacking, they never find any strange software, virus
    > scanners always
    > come up empty - even when done remotely over the
    > administrative shares.
    >
    > Any ideas how to protect my user list?
    >
    > -David
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Levinson, Karl: "RE: Virus is getting domain account listing"

    Relevant Pages

    • Re: Windows versus Application Security
      ... Public Property UserNameAs String ... What is the equivalent in a Windows Application? ... So you would just have a login entry from that check the user likely from ... managing and removing windows domain accounts are not the ...
      (microsoft.public.dotnet.framework.windowsforms)
    • RE: Unable to login
      ... What operating System are you using for the Client and Server? ... If you are using Windows XP, do you have Simple File sharing enabled? ... | I'm unable to login to a remote sql server 7 from my ... | machines belong to different workgroups. ...
      (microsoft.public.sqlserver.security)
    • Re: Access to some shared folders, not others
      ... I set up all of the accounts to be the same. ... start by running the Network Setup Wizard on all machines (see ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ... With Windows Firewall, this means allowing File/Printer ...
      (microsoft.public.windowsxp.network_web)
    • Re: XP Password Change Fails in Windows 2k Domain
      ... >>We recently introduced about eight new Windows XP ... >>be working fine and all of the machines are working well ... or can help me resolve this issue it would be ... >>users, completely login, than change your password. ...
      (microsoft.public.win2000.security)
    • Re: Windows versus Application Security
      ... This identity is kept global in the windows ... what but is based on the windows login right which does not identify the ... SQL Server 2000 application that doesn't relate to this or do you mean ... managing and removing windows domain accounts are not the ...
      (microsoft.public.dotnet.framework.windowsforms)