Re: Multiple Failed Password Change Attempts!
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/07/04
- Previous message: jaks: "Re: Forming new group to create a fully stable and secure windows machine"
- In reply to: a: "Multiple Failed Password Change Attempts!"
- Next in thread: Roger Abell: "Re: Multiple Failed Password Change Attempts!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 07 Nov 2004 04:53:35 GMT
It looks like an hack attack of some sort. Notice that the sequence of
trying different user accounts is same to indicate some sort of
scripting/automation. What is interesting is that the administrator account
is not included and non default user accounts are being used which indicates
that the attacker or malware was able to enumerate your user accounts which
can be caused by netbios ports being exposed to the internet. I would go to
a self scan site such as http://scan.sygatetech.com/ to check to see if you
have any vulnerable ports open such as 137/139/139/445. Also make sure that
your Norton scans all emails and is in "auto protect" mode which should warn
you of any scripts being run on your computer. I assume you are also
auditing for "logon events" which can also help detect attacks. It is also
possible that such attacks can come from another infected computer on the
network. I would also get a second opinion as far as viruses/malwares. Trend
Micro has a free tool called Sysclean that uses a pattern file that they
update often. Just download/unzip both to the same folder and run for
there - no need to do an install.
http://www.trendmicro.com/download/dcs.asp -- Sysclean.
http://www.trendmicro.com/download/pattern.asp -- pattern file
Also I would check your computer for rouge processes and startup programs
with some free tools from SysInternals - Process Explorer, TCPView, and
Autoruns that will list processes with associated applications/executable,
port use and associated processes, and startup programs on your computer.
It can be difficult at first to determine if a process is legit ot not.
Process Explorer will show which ones are signed from Microsoft - though
they all may not be and the names of the publishers of the other ones which
can help you determine if they are legit or not. The path of the executable
that the process uses can also be helpful in determining what it is used
for. Beware of a process with no publisher name associated with it. There
will be multiple instances of svchost which is normal and you can check the
properties of the process to see what services use it. --- Steve
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml -- Process
Explorer and link to SysInternals..
"a" <a@a.com> wrote in message
news:%23ihLVw%23wEHA.1292@TK2MSFTNGP10.phx.gbl...
> In the last 2 months there have been two occasions on my Windows 2K Pro
> machine in which many multiple change password attempts have been recorded
> in my security log. On both occasions about 50 change password attempts
> were
> recorded, in rapid succession (1-2 seconds of each other), all against my
> local user accounts, being the guest account (renamed BrendanGuest,
> passworded and disabled) as well as other user accounts. Interestingly the
> PETER user account present on my PC was not targeted at all - note that
> the
> PETER PC is the ICS host and gateway to the internet in my LAN.
>
> Attached is an example from my security log of what has happened. As you
> can
> see the change password attempts were down under my user name (I am the PC
> administrator) and using my privileges.
>
>
> What on earth is going on here? Both times these things occurred I was
> offline. I have run almost every security test/scan known to man including
> the Microsoft baseline security analyser to no avail.
>
> My PC specs are as follows:
>
> Win2K Pro SP4 completely up to date with all hotfixes
> ZoneAlarm Pro 4.5.538.001 with auto-clean cache/cookies/temp every day
> Norton Antivirus 2004 Pro completely up to date
> Ad-aware 6, Spyware Blaster, SpyBot with host file locked/various other
> security features completely up to date
> Peerguardian
>
> Can someone enlighten me with this? All help appreciated.
>
>
>
- Previous message: jaks: "Re: Forming new group to create a fully stable and secure windows machine"
- In reply to: a: "Multiple Failed Password Change Attempts!"
- Next in thread: Roger Abell: "Re: Multiple Failed Password Change Attempts!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
