Re: Vulnerability exposing user name for the accounts?
From: Amin Mohadjer (no_spam_555_mohadjera_at_yahoo.com)
Date: 08/25/03
- Next message: Joe: "2000 ME patch"
- Previous message: Nimish Katwala: "Windows 2000 Reboots and Reboots "Loop""
- In reply to: Steven L Umbach: "Re: Vulnerability exposing user name for the accounts?"
- Next in thread: Steven Umbach: "Re: Vulnerability exposing user name for the accounts?"
- Reply: Steven Umbach: "Re: Vulnerability exposing user name for the accounts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Aug 2003 16:42:47 -0700
I do have a LinkSys BEFSR41 router/firewall, sorry for forgetting to
mention it in the original posting. All ports with the exception of
80, 21, and 8080 were blocked (I verified this on www.grc.com).
I checked both FTP and W3C logs and the intrusion attemps didn't come
from there. I did not have the logging enabled for LinkSys so I cannot
say the same for port 8080.
Here is what I got in my event log (hundreds of such entries in a
timespan of 30 seconds, trying all the accounts on my machine):
8/23/2003 9:21:16 AM Security Failure Audit
Logon/Logoff 539 NT AUTHORITY\SYSTEM WEBSERVERONE "Logon
Failure:
Reason: Account locked out
User Name: IUSR_WEBSERVERONE
Domain: NAN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: NAN"
8/23/2003 9:21:16 AM Security Failure Audit
Account
Logon 681 NT AUTHORITY\SYSTEM WEBSERVERONE The logon to
account: IUSR_WEBSERVERONE
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: NAN
failed. The error code was: 3221226036
Again, the intruder only attempted the accounts that existed on my
box, he had somehow obtained a list of them. It wasn't a blind attack.
"Steven L Umbach" <n9rou@comcast.net> wrote in message news:<JWV1b.239472$Ho3.30554@sccrnsc03>...
> Apparently you do not use a firewall or it is misconfigured. Go to
> http://scan.sygatetech.com/ to scan yourself for basic vulnerability to internet
> attacks. These type of attacks generally use ports 139 or 445 which is a well known
> vulnerability when exposed to untrusted networks. I prefer a hardware firewall at the
> perimeter, and there are real firewalls for around $75 these days from the likes of
> Netgear. If you do not want to invest in a hardware firewall, then their are software
> alternatives. --- Steve
>
> http://www.netgear.com/products/prod_details.asp?prodID=140&view=
> http://www.webattack.com/Freeware/security/fwfirewall.shtml
> http://www.microsoft.com/security/articles/4steps.asp
>
> "Amin Mohadjer" <no_spam_555_mohadjera@yahoo.com> wrote in message
> news:835225c4.0308231523.471ebe28@posting.google.com...
> > Last night someone tried to break into my Windows 2000 server by
> > trying all the user accounts. He did not go far as I had the account
> > policy set to locking out on 3 tries but I am puzzled as to how the
> > hacker obtained the user name for accounts since this wasn't a case of
> > blind dictionary attack. He only tried the accounts that existed on
> > the box, no less, no more (IUSR_COMPUTERNAME, IWAM_COMPUTERNAME,
> > guest, administrator).
> >
> > I am concerned. What do you suggest I should do? I ran NAV and it did
> > not find any virus or worm.
> >
> > Has anyone heard of a vulnerability such as this? Right now I am
> > up-to-date on patches but perhaps I caught up with one too late to had
> > closed the door in time.
> >
> > Regards
> > Amin
> >
> > P.S. Please remove no_spam_555_ from the email address if replying
> > directly.
- Next message: Joe: "2000 ME patch"
- Previous message: Nimish Katwala: "Windows 2000 Reboots and Reboots "Loop""
- In reply to: Steven L Umbach: "Re: Vulnerability exposing user name for the accounts?"
- Next in thread: Steven Umbach: "Re: Vulnerability exposing user name for the accounts?"
- Reply: Steven Umbach: "Re: Vulnerability exposing user name for the accounts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
