Re: outside user able to see list of users/administrators?

From: karl [x y] (jamescagney90210@excite.com)
Date: 07/27/02 

From: "karl [x y]" <jamescagney90210@excite.com>
Date: Fri, 26 Jul 2002 23:40:06 -0400

"Grant" <grant.klein@ucr.edu> wrote in message
news:190801c234d0$41c42250$36ef2ecf@tkmsftngxa12...
> I was looking over my FTP server log and to my surprise
> someone managed to try and log in with all of the users on
> the machine with administrator rights. How was that little
> feat accomplished-- and more importantly how can I stop it
> from happening again?

Sounds like your machine hasn't been secured. Check out the Windows and IIS
security checklists at [surprise] www.microsoft.com/security as well as
IISlockdown including URLscan.

If you have no firewall and Netbios over TCP/IP enabled in your IP settings
and/or Windows networking bound to your internet-facing network interface,
and you have not changed the setting in the registry or Group Policy so that
RestrictAnonymous is set to level 1 [or 2], anyone can connect to the IPC$
share on your computer anonymously and enumerate the login IDs on your
computer. Plus, unless you have used a windows 2000 server resource kit
utility to change the local administrator ID so that it locks out after x
number of failed login attempts, someone could theoretically guess the
password forever [unless one of your login IDs had an easy to guess
password, in which case they could already have access to your machine].

If these things have not been done, there are probably other vulnerabilities
that may be more concerning, such as failing to install all the microsoft
security patches for Windows and IIS, leaving you vulnerable to buffer
overruns in IIS. Your IIS logs would hold clues to whether anyone was able
to do this. If the anonymous FTP user has both read and write access to any
folder on your FTP server, then someone may have hidden several gigabytes
worth of cracked software or porn in an FTP folder on your server.

Unfortunately, if you discover that your machine has been compromised, the
only way to be 100% sure that all the backdoors have been removed is to
format and reinstall windows. Installing a hardware and/or software
firewall [try Sygate software and/or Netgear or IPcop or ClosedBSD for some
low-cost firewalls] and also running fport from www.foundstone.com and/or
pstools especially pslist and psloggedon from www.sysinternals.com and
Languard File Integrity Checker from www.gfi.com [all free] can help you
look for some clues that could indicate a compromise. Additionally, you
could search your IIS server logs for any entry containing % or .EXE that
also has a code 200 or 502 in it [these are suspicous but do not always
indicate a successful intrusion without further investigation]. You may
need to enable IIS logging and/or consider changing the logging to start a
new log monthly instead of daily if your web server does not get a lot of
hits.

Hacking Exposed 3rd edition and Incident Response are two good introductions
to
security measures like these and how to fix them... you can get 4 books for
the price of one at http://lcis.booksonline.com