Re: Help attempting to get hacked?
From: Steven L Umbach (n9rou_at_nsattbi.com)
Date: 08/08/03
- Next message: Tony: "Re: Cannot Close MMC windows."
- Previous message: Matt: "Random Account Lockouts"
- In reply to: John: "Re: Help attempting to get hacked?"
- Next in thread: Mike: "Re: Help attempting to get hacked?"
- Reply: Mike: "Re: Help attempting to get hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 08 Aug 2003 02:26:02 GMT
Hi John. I have been follwing the thread and have a few questions. You say
you are using a Cisco NAT device that is also doing your vpn, but the you
indicate that you are also using a W2K rras vpn? Are you auditing account
logon and logon events for failuers and if so are you seeing a lot of failed
logons from machines not on your network in the security logs on the domain
controllers and servers sharing resources? The Event ID's you mention are
recording account lockouts - not logon failures which would give additional
info. If you are using a W2K rras server for vpn, make sure file and print
sharing is disabled/uninstalled on the nic directly connected to the
internet. If your rras servers are all W2K, go to Active Directory Users and
Computers and in the Pre -Windows 2000 Compatible Access built in group make
sure that the everyone group is removed from membership in that group.
You mentioned that this all happened right after a change over to a W2K
domain controller. Just to rule out multiple issues, run first netdiag on
the domain controller and then dcdiag on it looking for any errors. Then run
netdiag on a workstation. Make absolute sure that none of your W2K domain
computers point to an ISP dns server in their tcp/ip properties - only
domain controllers running dns and that the domain controllers point only to
themselves by their configured tcp/ip address.
Itr would be a good idea to find out exactly how many public address you
have connected to the internet and then scan each address for
vulnerabilities. There are may free scanning tools such as Supercan
available for download. You could also try using Netmon available on W2K
servers to capture some network traffic. There will be a lot of entires in
the capture, but you can scan them fairly quickly looking for non lan
addresses trying to access ports 139 and 445. --- Steve
"John" <jonashbaugh@hotmail.com> wrote in message
news:em$zooRXDHA.1748@TK2MSFTNGP12.phx.gbl...
> Steve,
>
> All of them are 644 and 642 events. It seems to be when we are running
> the VPN under routing and remoting as when I stop that service none of the
> events are triggered. Did I miss setting something up for the VPN? Thanks
in
> advance.
>
> John
> "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> news:pLtYa.1816$Ih1.755091@newssrv26.news.prodigy.com...
> > OK. I went back and looked at your log entry about an account being
locked
> > out. I have a question. Are you getting a lot of Event ID's 529 in your
> > security log that indicate unkown user name or password or Event ID's
681
> > that indicate failed domain account logon? They would give us more
info.
> > What operating system are the workstations using? Run dcdiag /v on the
> > domain controller looking for any errors. --- Steve
> >
> > "John" <jonashbaugh@hotmail.com> wrote in message
> > news:#xP9pCPXDHA.1748@TK2MSFTNGP12.phx.gbl...
> > > Steven,
> > >
> > > I went to the site http://scan.sygatetech.com/ and the only
info
> > it
> > > could get was the public ip. I have also stopped the VPN and FTP(which
> is
> > on
> > > another computer) and I still get the messages in the security log.
Any
> > > ideas on how they are able to get past our router, which is using NAT,
> and
> > > able to get to this DC?
> > >
> > > John
> > >
> > >
> > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > news:3u8Ya.647$Ih1.538222@newssrv26.news.prodigy.com...
> > > > John. Go to http://scan.sygatetech.com/ and scan from your
> > network.
> > > It
> > > > sounds like you may have some vulnerable ports open to the
internet -
> > 139,
> > > > 445, or ? If you find that, you need to either get a firewall or
check
> > the
> > > > configuration of yours. Double check that file and print sharing is
> not
> > > > enabled on any of your nics connected directly to the internet. --
> > Steve
> > > >
> > > > "John" <jonashbaugh@hotmail.com> wrote in message
> > > > news:eisNMZCXDHA.2360@TK2MSFTNGP12.phx.gbl...
> > > > > Hello,
> > > > >
> > > > > We just went for NT 4.0 to win2k and running all current
SP
> > and
> > > > > security patches. The users have been getting locked out all of
the
> > > > sudden.
> > > > > I thought it was due to the misconfiguration of the DNS on the DC
> > > however
> > > > I
> > > > > looked at the security event log and found multiple entries like
the
> > one
> > > > > below. This machine name is not even on our network. How can I
> prevent
> > > > this
> > > > > from happening as it seems someone is trying to get our users
> password
> > > for
> > > > > access. How are they able to get into our LAN? Could this be
> generated
> > > > when
> > > > > someone is trying to get into our FTP? Thanks in advance..
> > > > >
> > > > > John
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Tony: "Re: Cannot Close MMC windows."
- Previous message: Matt: "Random Account Lockouts"
- In reply to: John: "Re: Help attempting to get hacked?"
- Next in thread: Mike: "Re: Help attempting to get hacked?"
- Reply: Mike: "Re: Help attempting to get hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
