Re: security advice (possible hacker activity?)

From: Agustin Chernitsky (agustinchernitskyNOSPAM@hotmail.com)
Date: 12/19/02 

From: "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com>
Date: Wed, 18 Dec 2002 21:03:22 -0300

Hi Lisa,

Thanks for the info.... I test URLScan before installing. I checked the
server for virus, nothing found...

One question that I have for a long time is the following: The only way to
login to our server is though FTP, Terminal (only admins), and IIS Auth (web
auth).

Normally, I get these messages in the event log:

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/18/2002
Time: 9:02:33 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER2
Description:
Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Account Name: int111
 Workstation: SERVER2

Still, for some users or login attempts, I get the same audit event (if it
is successful, otherwise I get a failed audit) but with another workstation
name. Ie:

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/18/2002
Time: 9:02:33 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER2
Description:
Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Account Name: John Doe
 Workstation: JOHNDOEPC

Is this normal? Why I normally have my server name in the workstation and
sometimes the other user PC name?

Thanks a lot for your time!

"Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message
news:Souv0grpCHA.1340@cpmsftngxa09...
> > I will add permissions to TFTP and FTP and many others.... I will also
add
> > outgoing rules. I ran an antivirus software and haven't found any virus/
> > trojans. Still, I checked for files for Code RED and nothing yet.
>
> Note that if you install the full-blown IIS Lockdown Tool (instead of just
> URLScan on its own), there is the option to restrict access to system
> utilities. This will add an explicit deny for the IUSR account to
TFTP.EXE,
> CMD.EXE, etc. Might save you some time.
>
> As I said before, if you were properly patched at SP3, you were not
> susceptible to Code Red, so you're probably OK.
>
> > I haven't any access denied. The only thing IWAM was trying to use was
the
> > DCOM server. Still, I think I will go for a memory problem... Since the
> > mayority of the errors were hardware related (cannot read, write, etc).
>
> Did you see my previous post? I suspect the problem was caused by a
runaway
> application that chewed up all your available memory. That would be a
> software problem, although you might have some hardware issues as well.
>
> > Well, I did search the logs. Found some attempts, but all 404. My
> Antivirus
> > soft reports nothing.
>
> The 404's are a good sign -- I'd be a little concerned if you were seeing
> 200's, but if you're seeing 404's, Code Red probably didn't get in.
>
> > Do you think URLScan is completely safe? Will it affect my IIS
> performance?
>
> I'd highly recommend URLScan. We have a lot of customers using it with no
> problems. As I said before, I'd recommend installing it from the Lockdown
> Tool instead of on its own, as the Lockdown Tool makes a few configuration
> changes to further protect your server.
>
> Hope this helps,
> Lisa
>
> -----
> Please do not send email directly to this alias. This is an online
> account name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers
> no rights. You assume all risk for your use.
>
> © 2002 Microsoft Corporation. All rights reserved.
>

Relevant Pages