Re: Being hacked...
From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 03/17/04
- Next message: robb: "password policy/complexity"
- Previous message: Steve: "Certificate Authority Domain upgrade"
- In reply to: Anne Robynn: "Being hacked..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Mar 2004 17:27:03 GMT
On 16 Mar 2004 18:44:34 -0800, annerobynn2000@yahoo.com (Anne Robynn)
wrote:
>For the past week every morning at around the same time we get
>attacked twice, a few hours apart. All our accounts are being locked
>out. I figured we were under attack, but nothing I have done has kept
>this hacker out, nor have the attacks dimminished.
>
>I have searched for a solution everywhere including these newsgroups
>here at groups.google.
>
>Here's what I've got, and what I've done. I need suggestions on how to
>stop these attacks.
>
>What I've got:
>1. 3 Servers both windows 2000, all with service pack 4
>2. Two are DCs, one is a Citrix server. We are running exchange server
>on one of the DCs.
>3. I have a PIX firewall, all Netbios ports are closed. Pretty much
>only what we need is open. 3389 is open for remote desktop... could
>this be the problem?
>4. We are running the AD, and force Kerberos authentication
>5. account lockout is set at 3 bad logon attempts
>6. I have the accounts locked out forever
>
>What I've done:
>1. I've installed an event log analyzer to help with event log
>analysis and alerts. I have it notify me when lock outs occur, when
>anyone accesses what they shouldn't, and when files are being
>accessed.
And does it? Have you enabled auditing?
>2. I have the event log set large and doesn't overwrite its self
>3. I see 629, 630, 681, you name it I got it.
Have you looked at the events for the source?
>4. I saw an NTVDM showing up on all the servers, so I disabled NTVDM
>usages.
>5. During the attacks, I see a machine name appear that is not one of
>my own. I can't ping it, pstools can't identify it, I don't know how
>to get it off the system.
When you look in your firewall logs what do you see?
>6. are we really being attacked twice, or is the directory replicating
>the lock outs while we are unlocking, causing both DC to show locked
>out?
>7. The guest account is disabled
>8. Iwam Iusr, keep getting targeted too, why do I need these?
>Exchange? Citrix?
IIS. Your web server (and Outlook web access if you use it). If you
don't run a web server, then uninstall IIS and remove the accounts.
>9. I've scanned with LADS to check for alternate data streams.
>10. I've scanned for files that shouldn't be there
>11. I've disabled any accounts we don't need
>12. I changed the admin password just to be sure
>
>I can't turn off the Internet connection. Our work requires it.
>
>I don't know what else to do. How do I keep them off? How do I tell if
>they're even there and this isn't just a script running? How do I tell
>where the script is and get it off? I don't know what else to lock
>down.
Might start by enabling auditing on logons and see what shows in the
event log. Looking at your firewall logs might help as well, at least
to show the origin. If it's from a single IP, block that IP in your
firewall.
Jeff
- Next message: robb: "password policy/complexity"
- Previous message: Steve: "Certificate Authority Domain upgrade"
- In reply to: Anne Robynn: "Being hacked..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
