Re: Vulnerability exposing user name for the accounts?

From: Steven Umbach (n9rou_at_comcast.com)
Date: 08/25/03 

Date: Mon, 25 Aug 2003 01:58:50 GMT

     The accounts you list are all default accounts on a W2K installation with
the exception of the computer name for the IUSR_ and IWAM_ accounts , but those
accounts are used for anonymous access to web/ftp and the computer name could be
determined from website address. Possibly someone is trying to gain access to
folders/files through web/ftp access that should not be accessible to anonymous
access because of directory security authentication requirements or ntfs
permissions. If you have the intruders ip address in your W3C logs, you may want
to add it to the restricted ip address list in directory security/ip address and
domain name restrictions. If you have not done so, I would recommend running the
IIS lockdown tool on your server. You might also want to post on a win2000.IIS
newsgroup. --- Steve

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.a
sp

"Amin Mohadjer" <no_spam_555_mohadjera@yahoo.com> wrote in message
news:835225c4.0308241542.66a76081@posting.google.com...
> I do have a LinkSys BEFSR41 router/firewall, sorry for forgetting to
> mention it in the original posting. All ports with the exception of
> 80, 21, and 8080 were blocked (I verified this on www.grc.com).
>
> I checked both FTP and W3C logs and the intrusion attemps didn't come
> from there. I did not have the logging enabled for LinkSys so I cannot
> say the same for port 8080.
>
> Here is what I got in my event log (hundreds of such entries in a
> timespan of 30 seconds, trying all the accounts on my machine):
>
> 8/23/2003 9:21:16 AM Security Failure Audit
> Logon/Logoff 539 NT AUTHORITY\SYSTEM WEBSERVERONE "Logon
> Failure:
> Reason: Account locked out
> User Name: IUSR_WEBSERVERONE
> Domain: NAN
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: NAN"
>
> 8/23/2003 9:21:16 AM Security Failure Audit
> Account
> Logon 681 NT AUTHORITY\SYSTEM WEBSERVERONE The logon to
> account: IUSR_WEBSERVERONE
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: NAN
> failed. The error code was: 3221226036
>
> Again, the intruder only attempted the accounts that existed on my
> box, he had somehow obtained a list of them. It wasn't a blind attack.
>
>
> "Steven L Umbach" <n9rou@comcast.net> wrote in message
news:<JWV1b.239472$Ho3.30554@sccrnsc03>...
> > Apparently you do not use a firewall or it is misconfigured. Go to
> > http://scan.sygatetech.com/ to scan yourself for basic vulnerability to
internet
> > attacks. These type of attacks generally use ports 139 or 445 which is a
well known
> > vulnerability when exposed to untrusted networks. I prefer a hardware
firewall at the
> > perimeter, and there are real firewalls for around $75 these days from the
likes of
> > Netgear. If you do not want to invest in a hardware firewall, then their are
software
> > alternatives. --- Steve
> >
> > http://www.netgear.com/products/prod_details.asp?prodID=140&view=
> > http://www.webattack.com/Freeware/security/fwfirewall.shtml
> > http://www.microsoft.com/security/articles/4steps.asp
> >
> > "Amin Mohadjer" <no_spam_555_mohadjera@yahoo.com> wrote in message
> > news:835225c4.0308231523.471ebe28@posting.google.com...
> > > Last night someone tried to break into my Windows 2000 server by
> > > trying all the user accounts. He did not go far as I had the account
> > > policy set to locking out on 3 tries but I am puzzled as to how the
> > > hacker obtained the user name for accounts since this wasn't a case of
> > > blind dictionary attack. He only tried the accounts that existed on
> > > the box, no less, no more (IUSR_COMPUTERNAME, IWAM_COMPUTERNAME,
> > > guest, administrator).
> > >
> > > I am concerned. What do you suggest I should do? I ran NAV and it did
> > > not find any virus or worm.
> > >
> > > Has anyone heard of a vulnerability such as this? Right now I am
> > > up-to-date on patches but perhaps I caught up with one too late to had
> > > closed the door in time.
> > >
> > > Regards
> > > Amin
> > >
> > > P.S. Please remove no_spam_555_ from the email address if replying
> > > directly.

Relevant Pages

  • Re: MOSS 2007 Profile Import Issue
    ... Exception from HRESULT: 0x80005000 (An invalid directory pathname was ... This is only affecting certain accounts as I am getting ~3000 of the 9000 ...
    (microsoft.public.sharepoint.portalserver)
  • Re: MOSS 2007 Profile Import Issue
    ... And out of the subject where can I modify Categories and Region from Site ... Exception from HRESULT: 0x80005000 (An invalid directory pathname was ... This is only affecting certain accounts as I am getting ~3000 of the 9000 ...
    (microsoft.public.sharepoint.portalserver)
  • dsquery, dsmod, etc
    ... I'm afraid I know the answer to this but I want to ask in case I'm wrong. ... I can use net user to create the accounts and netlocalgroups to do what I ... need with one exception. ... first login" property. ...
    (microsoft.public.windows.server.general)
  • Re: Somethings deleting Files
    ... The everyone group's significant difference is that it allows certain ... anonymous access unless you have made the appropriate registry changes as ... You will want to look further into what user accounts to allow by doing ...
    (comp.security.firewalls)
  • Re: Default and Anonymous
    ... know how those accounts are supposed to be used, ... Ben Winzenz ... For the most part, the anonymous permissions won't apply, as it is not ... commonplace to allow anonymous access to public folders, ...
    (microsoft.public.exchange.admin)