Re: Help attempting to get hacked?

From: Mike (sysops_at_arnel.com)
Date: 08/28/03 

Date: Thu, 28 Aug 2003 14:40:25 -0700

I am experiancing similar issues with Win98 Clients
getting locked out and actually kicked out while they are
loogged in. A client reboot is required to allow for a
successful "re-logon". Sometimes there is a corresponding
529 event sometimes not. I just upgraded PDC to W2K (new
box, fresh NT4.0 install, promotion then upgrade) a week
ago and am in mixed mode awaiting upgrade of the BDC. I
am fairly certain I do not have a "hacking" issue as I am
very locked down and do not have RAS clients. I am
watching closely as it looks like the same issue to
me..Thanks for everyones time and help.

Mike
>-----Original Message-----
> Hi John. I have been follwing the thread and have a few
questions. You say
>you are using a Cisco NAT device that is also doing your
vpn, but the you
>indicate that you are also using a W2K rras vpn? Are you
auditing account
>logon and logon events for failuers and if so are you
seeing a lot of failed
>logons from machines not on your network in the security
logs on the domain
>controllers and servers sharing resources? The Event ID's
you mention are
>recording account lockouts - not logon failures which
would give additional
>info. If you are using a W2K rras server for vpn, make
sure file and print
>sharing is disabled/uninstalled on the nic directly
connected to the
>internet. If your rras servers are all W2K, go to Active
Directory Users and
>Computers and in the Pre -Windows 2000 Compatible Access
built in group make
>sure that the everyone group is removed from membership
in that group.
>
>You mentioned that this all happened right after a change
over to a W2K
>domain controller. Just to rule out multiple issues, run
first netdiag on
>the domain controller and then dcdiag on it looking for
any errors. Then run
>netdiag on a workstation. Make absolute sure that none of
your W2K domain
>computers point to an ISP dns server in their tcp/ip
properties - only
>domain controllers running dns and that the domain
controllers point only to
>themselves by their configured tcp/ip address.
>
>Itr would be a good idea to find out exactly how many
public address you
>have connected to the internet and then scan each address
for
>vulnerabilities. There are may free scanning tools such
as Supercan
>available for download. You could also try using Netmon
available on W2K
>servers to capture some network traffic. There will be a
lot of entires in
>the capture, but you can scan them fairly quickly looking
for non lan
>addresses trying to access ports 139 and 445. --- Steve
>
>"John" <jonashbaugh@hotmail.com> wrote in message
>news:em$zooRXDHA.1748@TK2MSFTNGP12.phx.gbl...
>> Steve,
>>
>> All of them are 644 and 642 events. It seems to be
when we are running
>> the VPN under routing and remoting as when I stop that
service none of the
>> events are triggered. Did I miss setting something up
for the VPN? Thanks
>in
>> advance.
>>
>> John
>> "Steven L Umbach" <sumbach@ameritech.net> wrote in
message
>> news:pLtYa.1816$Ih1.755091@newssrv26.news.prodigy.com...
>> > OK. I went back and looked at your log entry about an
account being
>locked
>> > out. I have a question. Are you getting a lot of
Event ID's 529 in your
>> > security log that indicate unkown user name or
password or Event ID's
>681
>> > that indicate failed domain account logon? They
would give us more
>info.
>> > What operating system are the workstations using? Run
dcdiag /v on the
>> > domain controller looking for any errors. --- Steve
>> >
>> > "John" <jonashbaugh@hotmail.com> wrote in message
>> > news:#xP9pCPXDHA.1748@TK2MSFTNGP12.phx.gbl...
>> > > Steven,
>> > >
>> > > I went to the site
http://scan.sygatetech.com/ and the only
>info
>> > it
>> > > could get was the public ip. I have also stopped
the VPN and FTP(which
>> is
>> > on
>> > > another computer) and I still get the messages in
the security log.
>Any
>> > > ideas on how they are able to get past our router,
which is using NAT,
>> and
>> > > able to get to this DC?
>> > >
>> > > John
>> > >
>> > >
>> > > "Steven L Umbach" <sumbach@ameritech.net> wrote in
message
>> > > news:3u8Ya.647
$Ih1.538222@newssrv26.news.prodigy.com...
>> > > > John. Go to http://scan.sygatetech.com/ and
scan from your
>> > network.
>> > > It
>> > > > sounds like you may have some vulnerable ports
open to the
>internet -
>> > 139,
>> > > > 445, or ? If you find that, you need to either
get a firewall or
>check
>> > the
>> > > > configuration of yours. Double check that file
and print sharing is
>> not
>> > > > enabled on any of your nics connected directly to
the internet. --
>> > Steve
>> > > >
>> > > > "John" <jonashbaugh@hotmail.com> wrote in message
>> > > > news:eisNMZCXDHA.2360@TK2MSFTNGP12.phx.gbl...
>> > > > > Hello,
>> > > > >
>> > > > > We just went for NT 4.0 to win2k and
running all current
>SP
>> > and
>> > > > > security patches. The users have been getting
locked out all of
>the
>> > > > sudden.
>> > > > > I thought it was due to the misconfiguration of
the DNS on the DC
>> > > however
>> > > > I
>> > > > > looked at the security event log and found
multiple entries like
>the
>> > one
>> > > > > below. This machine name is not even on our
network. How can I
>> prevent
>> > > > this
>> > > > > from happening as it seems someone is trying to
get our users
>> password
>> > > for
>> > > > > access. How are they able to get into our LAN?
Could this be
>> generated
>> > > > when
>> > > > > someone is trying to get into our FTP? Thanks
in advance..
>> > > > >
>> > > > > John
>> > > > >
>> > > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>
>.
>

Relevant Pages

  • Re: AD structure question
    ... To ISP DNS servers? ... and applying to all clients in A and B. You can create 2 sites and then use ... But VPN gives just access to share resources. ...
    (microsoft.public.windows.server.active_directory)
  • RE: VPN MTU Question
    ... Our VPN clients get disconnected frequently and I am hoping this ... > Based on my research, Microsoft Windows Server 2003, Microsoft Windows ... This is the default setting for VPN clients and for VPN ... Do I need to modify all the clients as well as the servers? ...
    (microsoft.public.win2000.ras_routing)
  • Re: Help attempting to get hacked?
    ... indicate that you are also using a W2K rras vpn? ... logon and logon events for failuers and if so are you seeing a lot of failed ... controllers and servers sharing resources? ... the domain controller and then dcdiag on it looking for any errors. ...
    (microsoft.public.win2000.security)
  • Re: DC issues growing and growing
    ... So you have two sites, in each one domain controller, if i got you. ... Connected with a VPN. ... Are both DC's also DNS and Global catalog servers? ... Member servers are reporting event 1006 "unable to bind to domain". ...
    (microsoft.public.windows.server.general)
  • Re: Cross Domain Connection Issues
    ... servers and clients on the other domain by pinging the client/server names ... Try to ping each domain controller in domain A from domain ... have the wins servers in each domain ... > wins you can try using a lmhosts file on the pdc fsmo in each domain to ...
    (microsoft.public.windows.server.general)