Re: We've been compromised, now what...
From: chris@nospam.comDate: 05/29/02
- Next message: Dazza: "Re: We've been compromised, now what..."
- Previous message: tony: "ERGENT~~~ WINDOWS COMPUTER ACCOUNT"
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: Dazza: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: chris@nospam.com Date: Tue, 28 May 2002 19:30:44 -0700
On Tue, 28 May 2002 19:51:09 GMT, Nameless User
<notvalid@notvalid.com> wrote:
>Hello,
>
>Our organization has a small network with fewer than 30 clients, one pdc,
>and one bdc. There are about 20 accounts. The pdc running WinNT 4 Server
>is also a web server (iis 4) and the bdc running WinNT 4 Server is also an
>exchange 5.5 server. I was almost completely patched at the time of the
>attack, only missing items from mid-April (and I fully patched it after I
>detected an intrusion).
>
>The attacker got a list of users first (all the users from the user
>manager and also a list of computer names) and then proceeded to test each
>user's account for weak passwords (one successful attempt). This account
>was one of my least trusted accounts (in terms of privileges), but I'm
>guessing that doesn't matter.
Really bad idea having a publically accessible website on your PDC.
Especially given the shaky security of IIS. Best bet is to run IIS on
a machine outside your firewall (you do have a firewall right?) that
has no valuable information that would be critical if compromised.
Disable any non-vital services such as workstation and server. Only
bind tcpip to the external interface.
You missed some of the patches if they could get a user list.
>Three days later I noticed this and changed the weak password. But I'm
>assuming this isn't the end of this problem...
>
>I have noticed a large increase in the number of IUSR_compname entries in
>the event viewer for my pdc, and a few for my bdc. Is this to be
>expected?
>
>I am trying to lock everything down, what can I do at this point (aside
>from starting everything from scratch).
Get IIS off of your PDC!
>I have been going through the iis logs on my pdc and haven't found
>anything out of the ordinary (aside from the usual attempts to find
>.exe's, etc. which all result in 404 or 500).
Login attempts? Look in the IIS log files and see what IPs the
attempts are coming from. You might get lucky and find the culprit,
or at least another compromised machine they are attacking from.
>I am planning on forcing a password change for every user as well.
>I ran two different virus scans, both had positive results.
Good start, but virus scans won't find some rootkits or other
installed backdoors.
>I ran Steve Gibson's probe test and didn't see anything out of the
>ordinary.
>
>I also backed up all data (web site, data files, e-mail, etc.).
>
>Basically, where should I look to find out what this intruder is trying to
>do, has done, etc.? What should I look for on my system that are sure
>signs of an intruder? How can I prevent this intruder from gaining access
>to my system in the future (since he/she probably used the low level
>account to gain access to my system in other ways).
>
>Thanks all.
>
>- Name Withheld
- Next message: Dazza: "Re: We've been compromised, now what..."
- Previous message: tony: "ERGENT~~~ WINDOWS COMPUTER ACCOUNT"
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: Dazza: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
