Re: Being hacked...

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 03/17/04 

Date: Wed, 17 Mar 2004 10:09:10 -0600

You sound a litle vauge on your firewall protection. Hopefully you are using
a block all default rule and then allowing only authourized inbound traffic.
I would try to scan your network yourself from the outside or use a self
scan site such as http://scan.sygatetech.com/ if you can not do that right
away. You need to make sure other uneeded ports including port 445 are
closed. The fact that ALL your accounts are locked out tells me that either
someone enumerated your user accounts from the internet, from inside your
network, or possibly they gained access via Remote Desktop to a regular user
account and are now trying to gain a stronger foothold on the network. If
possible restrict access to port 3389 from only authorized public IP
addresses instead of "all". the strange computer you see probably is coming
from the internet, but could possibly [though probably unlikely] be an
internal attack from someome pluffing into your network. You may not be able
to to ping that computer but if you check the computer where the log entries
were found then possibly running nbtstat -r or arp -a may show an IP
address, but those entries do not stay in the cache long. Better yet examine
your firewall logs to see if you can pin down where these attacks are coming
from by comparing entries in the logs to failed logons to your computers
based on correlating times. You may also need to enable auditing of logon
events for at least failures on all of your computers to find out where
these attacks are coming from. You can scan the security logs of multiple
computers using Event Comb from Microsoft. See the link below on where to
get it and tips for tracking down account lockout problems. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.microsoft.com/downloads/details.aspx?familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

"Anne Robynn" <annerobynn2000@yahoo.com> wrote in message
news:55fdd789.0403161844.33d946e4@posting.google.com...
> For the past week every morning at around the same time we get
> attacked twice, a few hours apart. All our accounts are being locked
> out. I figured we were under attack, but nothing I have done has kept
> this hacker out, nor have the attacks dimminished.
>
> I have searched for a solution everywhere including these newsgroups
> here at groups.google.
>
> Here's what I've got, and what I've done. I need suggestions on how to
> stop these attacks.
>
> What I've got:
> 1. 3 Servers both windows 2000, all with service pack 4
> 2. Two are DCs, one is a Citrix server. We are running exchange server
> on one of the DCs.
> 3. I have a PIX firewall, all Netbios ports are closed. Pretty much
> only what we need is open. 3389 is open for remote desktop... could
> this be the problem?
> 4. We are running the AD, and force Kerberos authentication
> 5. account lockout is set at 3 bad logon attempts
> 6. I have the accounts locked out forever
>
> What I've done:
> 1. I've installed an event log analyzer to help with event log
> analysis and alerts. I have it notify me when lock outs occur, when
> anyone accesses what they shouldn't, and when files are being
> accessed.
> 2. I have the event log set large and doesn't overwrite its self
> 3. I see 629, 630, 681, you name it I got it.
> 4. I saw an NTVDM showing up on all the servers, so I disabled NTVDM
> usages.
> 5. During the attacks, I see a machine name appear that is not one of
> my own. I can't ping it, pstools can't identify it, I don't know how
> to get it off the system.
> 6. are we really being attacked twice, or is the directory replicating
> the lock outs while we are unlocking, causing both DC to show locked
> out?
> 7. The guest account is disabled
> 8. Iwam Iusr, keep getting targeted too, why do I need these?
> Exchange? Citrix?
> 9. I've scanned with LADS to check for alternate data streams.
> 10. I've scanned for files that shouldn't be there
> 11. I've disabled any accounts we don't need
> 12. I changed the admin password just to be sure
>
> I can't turn off the Internet connection. Our work requires it.
>
> I don't know what else to do. How do I keep them off? How do I tell if
> they're even there and this isn't just a script running? How do I tell
> where the script is and get it off? I don't know what else to lock
> down.
>
> Any help will be greatly appreciated.
>
> Thank you,
> Anne

Relevant Pages

  • Re: Being hacked...
    ... nor have the attacks dimminished. ... I have the accounts locked out forever ... I've installed an event log analyzer to help with event log ... Looking at your firewall logs might help as well, ...
    (microsoft.public.win2000.security)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • RE: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... Regarding ICMP backdoors, this technique was first use by some skilled guy ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ...
    (Pen-Test)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
    (Pen-Test)