Being hacked...

From: Anne Robynn (annerobynn2000_at_yahoo.com)
Date: 03/17/04 

Date: 16 Mar 2004 18:44:34 -0800

For the past week every morning at around the same time we get
attacked twice, a few hours apart. All our accounts are being locked
out. I figured we were under attack, but nothing I have done has kept
this hacker out, nor have the attacks dimminished.

I have searched for a solution everywhere including these newsgroups
here at groups.google.

Here's what I've got, and what I've done. I need suggestions on how to
stop these attacks.

What I've got:
1. 3 Servers both windows 2000, all with service pack 4
2. Two are DCs, one is a Citrix server. We are running exchange server
on one of the DCs.
3. I have a PIX firewall, all Netbios ports are closed. Pretty much
only what we need is open. 3389 is open for remote desktop... could
this be the problem?
4. We are running the AD, and force Kerberos authentication
5. account lockout is set at 3 bad logon attempts
6. I have the accounts locked out forever

What I've done:
1. I've installed an event log analyzer to help with event log
analysis and alerts. I have it notify me when lock outs occur, when
anyone accesses what they shouldn't, and when files are being
accessed.
2. I have the event log set large and doesn't overwrite its self
3. I see 629, 630, 681, you name it I got it.
4. I saw an NTVDM showing up on all the servers, so I disabled NTVDM
usages.
5. During the attacks, I see a machine name appear that is not one of
my own. I can't ping it, pstools can't identify it, I don't know how
to get it off the system.
6. are we really being attacked twice, or is the directory replicating
the lock outs while we are unlocking, causing both DC to show locked
out?
7. The guest account is disabled
8. Iwam Iusr, keep getting targeted too, why do I need these?
Exchange? Citrix?
9. I've scanned with LADS to check for alternate data streams.
10. I've scanned for files that shouldn't be there
11. I've disabled any accounts we don't need
12. I changed the admin password just to be sure

I can't turn off the Internet connection. Our work requires it.

I don't know what else to do. How do I keep them off? How do I tell if
they're even there and this isn't just a script running? How do I tell
where the script is and get it off? I don't know what else to lock
down.

Any help will be greatly appreciated.

Thank you,
Anne

Relevant Pages

  • Re: Being hacked...
    ... You sound a litle vauge on your firewall protection. ... The fact that ALL your accounts are locked out tells me that either ... these attacks are coming from. ... I've installed an event log analyzer to help with event log ...
    (microsoft.public.win2000.security)
  • Re: looking for tools/scripts to clean up unused AD accounts
    ... looking for tools/scripts to clean up unused AD accounts ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: Account lockout support in Solaris 10 when authenticating againstKerberos
    ... Letting them lock out all your user accounts is not. ... In practice, if you're just trying to stop dictionary attacks, dictionary ... you can implement something similar by watching the KDC ...
    (comp.protocols.kerberos)
  • Re: How effective is a Limited User Account?
    ... Then there is software where the security holes are actually features - see ... attacks, and other attacks. ... bypassing limited user ... Limited User Accounts are very effective in ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Virus is getting domain account listing
    ... If this stuff is remote, nothing will help you in blocking the DCs from ... MICROSOFT SERVICES from the outside world. ... you can lock accounts through them) to the outside world, ... > knows which accounts are domain admins and attacks them more ...
    (Focus-Microsoft)