Re: Need help with lockout attack.
From: - AJS (a)
Date: 06/23/03
- Previous message: Hugh Caldwell: "Need help with lockout attack."
- In reply to: Hugh Caldwell: "Need help with lockout attack."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 23 Jun 2003 11:21:32 -0500
hughtwg@netscape.net (Hugh Caldwell) wrote:
>Hello,
>
>My network appears to be being attacked by someone who is locking out
>all the users accounts. A typical entry into the security event log
>reads:
>User Account Locked Out:
> Target Account Name: jdoe
> Target Account ID: J-1-8-21-1333716358-1641543534-689521291-1248
> Caller Machine Name: \\FAMILLE
> Caller User Name: SYSTEM
> Caller Domain: NT AUTHORITY
> Caller Logon ID: (0x0,0x3E7)
>
>The lockouts occured in alphabetical order and each at about 20 second
>intervals. I've since changed all of the passwords on the network and
>the problem hasn't occured again. I was hoping I could get some
>informatin as to how this might have happened and any ideas as to how
>to prevent it in the future. I'm new to network administering (former
>programmer) so any resources you could point me too would be greatly
>appreciated.
Hi Hugh,
Here's the deal. Someone has/had access to your local network. The machine used
was named "\\FAMILLE" (we'll get back to that in a minute).
User names are automatically enumerated to any machie on your network, by
anonymous request, by default. Getting the user list is usually trivial. With
that list of names in hand, someone tried to brute force a password to log into
your domain. They used some downloaded app that probably ran a simple
dictionary attack on all your accounts in turn. If you didn't have lockout
enabled following x failed attempts, they would own you right now.
Here's the thing... they still might.
1st, does that machine exist on your domain? Check your browser list, and see
if you can ping it by name. Did WINS pic it up? Is there a MAC address still in
the ARP cache (in case you catch them ;^)?
Now, go through your user list with a fine tooth comb... Did all accounts lock
out, or was one or more left alone? If so, money says that they got in on the
first account alphabetically that did not lock out.
Next, are all the accounts correct? Look for a new account, something that kind
of looks like it belongs. The first thing you do when you hack a network is
create a couple accounts for yourself.
And finally, find out how they connected. You have the time of the intrusion...
How did they get local access? It is critical to track it down... Night
security w/ a laptop? RAS? Wireless network? This had to be local... An
intrusion via Internet would leave different evidence - even if they breached
your VPN.
If \\FAMILLE is one of your machines, confiscate it right now. Take it off the
network. Give the user something else to work on. And then tear that thing
appart. They may have gotten local access after failing to get Domain access.
And once in the machine, they can set up password sniffers, log your network
traffic, etc., etc. Log into it ONLY off the wire, with the local admin
password. Then check it for new accounts, weird memberships in the local admin
group, etc. Look for known malware... etc. And do not reconnect it to your
network until: 1) You Ghost the entire system to CD for evidence. 2) You are
certain that you can learn nothing more from it. 3) You have completely wiped
and reformatted the system, having first checked for hidden partitions, etc.
Final thought: Because this was local, you have a physical layer threat to
address as well... Check all your hubs/switches for improper connections...
Look for a sniffer, especially if you have any out-of the way places - like
repeaters used to extend your wired range. Also, make the rounds and physically
check the keyboard connection to all your workstations. Keyboard loggers are
very cheap and easy to buy. And finally, verify that your server consoles are
physically secure. If I can physically touch your servers, there isn't anything
you can do to keep me out given time, especially on internal, typically
unhardened servers.
You've got a local script kiddie playing around... Track him down and slap him,
hard, before he causes some real trouble for somebody.
Good luck,
- AJS
- Previous message: Hugh Caldwell: "Need help with lockout attack."
- In reply to: Hugh Caldwell: "Need help with lockout attack."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
