Apparent NetBIOS Attack - How Dangerous?

From: Thomas (email_at_isin.my.message.com)
Date: 12/13/04 

Date: Sun, 12 Dec 2004 22:29:10 -0300

I have been noticing, after checking Windows 2000's Event Viewer's security
protocol, that some individual (from the Internet) is attempting to log into
our computer. The attempts --fortunately all failed, so far-- start
occurring a few minutes after I establish a PPPoE Internet connection, and
cease after some time. When the attacks begin, they occur for several
minutes, sometimes every two or three seconds, sometimes every 10-60
seconds, sometimes just once or twice.

In the Event Viewer, the alerts look like the following one:

The logon to account: <Local account name here>
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: 0WEWCKG1
failed. The error code was: 3221225578

The error type is 681.

Strangely, the individual basically uses every account available in our
system. That is, if we have the accounts Administrator, Peter, Thomas, Jane,
then the user attempts to login with one or more of these accounts. How is
it possible that our full account list is known to someone on the Internet?

As the login attempts occur after packets are sent to local port 137
(NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks still
won't stop. The user still obtains our account list, and the failed logins
still appear on the Event Viewer security protocol.

What can be done in order to remedy this situation? If the subject discovers
the password for one account, would it be possible for him to eventually
"login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
that instance, how much access does he actually have, and how much damage
can he do? In advance, I appreciate any information you can provide.

Regards,

Thomas

Relevant Pages

  • Re: Feature Suggestion: Laptop Logon Security
    ... why there would be any advantage to using an identical account name ... how this would prevent internet hackers from using the account SID ... instead of the name to login as the privileged user name anyways [often, ... > username, but a blank password. ...
    (microsoft.public.security)
  • Re: Apparent NetBIOS Attack - How Dangerous?
    ... Are you using a firewall such as a personal firewall or a hardware device - ... that some individual (from the Internet) is attempting to log ... the individual basically uses every account available in our ... > then the user attempts to login with one or more of these accounts. ...
    (microsoft.public.win2000.security)
  • Re: Question restricting ssh access for some users only
    ... > Now I want to create a new account on one machine which will be ... > accessible from the Internet as a whole, to be used for tunnelling of ... # Login access control table. ... # logins, the first entry that matches the combination. ...
    (FreeBSD-Security)
  • Re: i need help please!
    ... Does your XP account have administrative rights?? ... > When I try to login to the internet on my desktop, ... When I get on my wifes desktop, ...
    (microsoft.public.windowsxp.newusers)
  • Weakness introduced by denying remote logins on AIX, possibly others
    ... AIX 4.3.3 and AIX 5.1, ... is possible to remotely enumerate the passwords of a known AIX account. ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
    (Security-Basics)