RE: Virus is getting domain account listing
From: Michael Milting (michael.milting_at_tietoenator.com)
Date: 05/10/04
- Previous message: JGrimshaw_at_ASAP.com: "Re: Virus is getting domain account listing"
- Maybe in reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Harlan Carvey: "RE: Virus is getting domain account listing"
- Reply: Harlan Carvey: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 May 2004 21:34:08 +0200 To: "Harlan Carvey" <keydet89@yahoo.com>
I have seen this strange thing today too, i got called up by a customer because they could'n logon. I havent been able to find anything so far as to who is to blame ...Mainly because of the issue appeared to have taken plase sometime last friday/thursday, and the logs recycle.
I have tried several AV products and worm catchers, no effect - it would be nice to find out EXACTLY how the volnarability is used, and if it is via program "or" virus/worm.
This has happend once earlier but only on the administrative accounts.
Regards,
Milting
Watch out!
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Mon 5/10/2004 4:28 PM
To: focus-ms@securityfocus.com
Cc: David Carlin
Subject: Re: Virus is getting domain account listing
Dave,
If there is some activity that's locking out accounts,
I would suggest that you enable auditing on the PDCs
for both failed and successful logon/logoff activity.
You should be seeing the unsuccessful logon attempts
in the Event Viewer...initially based on bad passwords
(presumably), then based on the fact that the account
is locked out. The Event Viewer entries will have the
workstation from which the request came...you can then
go to those systems and ask the owners to check for
malware.
On a side note, technically the activity you're
describing would be more akin to a worm than a virus.
Of course, it may be the result of a Trojan
instead...but checking the timing on Event Viewer
entries will narrow that down a bit.
HTH,
Harlan
--- David Carlin <djc6@cwru.edu> wrote:
> Hello,
>
> I work on a college campus and have been plagued for
> months by
> something that is going through all of the accounts
> in my domains and
> locking the accounts out by failed password
> attempts. I have two PDCs
> for two different domains, running NT 4.0 and
> clients running XP
> scattered around campus in various subnets. I have
> setup an ACL on my
> cisco switch to block traffic to the PDCs except
> from these subnets,
> but it doesn't help because there are machines in
> those subnets
> administered by other people that continue to get
> "infected".
>
> My question is, how do I stop whatever this is from
> getting my account
> listing in the first place? I have run Microsoft
> baseline analyzer, it
> says I'm all good.. The free Nessus scanner doesn't
> report any
> problems. I have all patches, RestrictAnonymous=1
> is in the registry.
>
> I've renamed my admin account, this thing always
> picks up on it. It
> knows which accounts are domain admins and attacks
> them more
> aggressively. I've contacted the owners of the
> various machines
> attacking, they never find any strange software,
> virus scanners always
> come up empty - even when done remotely over the
> administrative shares.
>
> Any ideas how to protect my user list?
>
> -David
>
>
>
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: JGrimshaw_at_ASAP.com: "Re: Virus is getting domain account listing"
- Maybe in reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: Harlan Carvey: "RE: Virus is getting domain account listing"
- Reply: Harlan Carvey: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
