Re: We've been compromised, now what...
From: HC (keydet89@yahoo.com)Date: 05/28/02
- Next message: OL: "Re: We've been compromised, now what..."
- Previous message: GertJan: "Re: Cannot remove Server from Server Manager"
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: OL: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: HC <keydet89@yahoo.com> Date: Tue, 28 May 2002 17:32:34 -0400
> Our organization has a small network with fewer than 30 clients, one pdc,
> and one bdc. There are about 20 accounts. The pdc running WinNT 4 Server
> is also a web server (iis 4) and the bdc running WinNT 4 Server is also an
> exchange 5.5 server. I was almost completely patched at the time of the
> attack, only missing items from mid-April (and I fully patched it after I
> detected an intrusion).
>
> The attacker got a list of users first (all the users from the user
> manager and also a list of computer names) and then proceeded to test each
> user's account for weak passwords (one successful attempt). This account
> was one of my least trusted accounts (in terms of privileges), but I'm
> guessing that doesn't matter.
It sounds as if you have port 139 exposed to the Internet. Presumably,
the attacker performed null session enumeration and got the list of user
names, and then went after each one from there.
Assuming it doesn't matter may be a mistake. Regardless of what people
are going to tell you on Usenet and the Internet, most folks don't know
how to 'root' an NT box. The vast majority of the reported remote
compromises that have actually taken place on NT/2K systems have been
through a buffer overflow to IIS, or a regular compromise followed by
privilege escalation (ie, worm uses directory transversal exploit to get
some code on the system, then uses DebPloit executable to elevate
privileges).
> Three days later I noticed this and changed the weak password. But I'm
> assuming this isn't the end of this problem...
It could very well be. The fact that you found some information 3 days
later...presumably in the EventLog...tells me that the attacker never
gained admin rights...had he/she done so, the next logical thing to do
would be to disable auditing and clear the EventLogs.
> I have noticed a large increase in the number of IUSR_compname entries in
> the event viewer for my pdc, and a few for my bdc. Is this to be
> expected?
It depends on what those entries are...they could be anything. It also
depends on what your IIS log files look like.
> I am trying to lock everything down, what can I do at this point (aside
> from starting everything from scratch).
1. Block access to port 139 at the Internet, either via a firewall, or
router ACLs.
2. Use NT's inherent mechanisms to enforce strong passwords.
3. Set role-based ACLs.
4. Ensure certain auditing is enabled, and monitor the system.
> I have been going through the iis logs on my pdc and haven't found
> anything out of the ordinary (aside from the usual attempts to find
> .exe's, etc. which all result in 404 or 500).
Okay.
> I am planning on forcing a password change for every user as well.
Good.
> I ran two different virus scans, both had positive results.
What do you mean? "Positive" as in "the A/V scan found something", or
as in "nothing was found, and that's a good thing"? How up-to-date were
they? I like to use netcat in the IR course I teach for NT/2K, and the
A/V used at a site that will remain unnamed didn't detect it.
> I ran Steve Gibson's probe test and didn't see anything out of the
> ordinary.
Port scanning the system from the outside is a complete waste of time.
> I also backed up all data (web site, data files, e-mail, etc.).
>
> Basically, where should I look to find out what this intruder is trying to
> do, has done, etc.?
Well, for starters, you'd want to run tools like handle, listdlls,
pslist, fport and netstat to get a snapshot of the processes and
process-to-port mappings on the system. Check areas of the Registry for
new entries, particularly the ubiquitious 'Run' key.
> What should I look for on my system that are sure
> signs of an intruder?
New files that have been added, or files you need that have been
deleted. Maybe all the attacker did was look at files...however, if you
don't find any new files that have been added, then it's very likely
that the attacker gained access but had no idea what to do after
that...like I said, it's clear that most folks don't know how to 'root'
and gain complete control over an NT box, the way that it's done against
Linux systems.
> How can I prevent this intruder from gaining access
> to my system in the future (since he/she probably used the low level
> account to gain access to my system in other ways).
What evidence do you have to support "probably"?
- Next message: OL: "Re: We've been compromised, now what..."
- Previous message: GertJan: "Re: Cannot remove Server from Server Manager"
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: OL: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
