Re: Apparent NetBIOS Attack - How Dangerous?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 12/13/04 

Date: Mon, 13 Dec 2004 03:34:05 GMT

Are you using a firewall such as a personal firewall or a hardware device -
even a cheap NAT router?? If not, then you need one and yes they could
connect if they discovered a user's password if you do not have a properly
configured firewall. Windows 2000 will still use port 445 TCP for file and
print sharing if NBT is disabled. It is trivial to obtain user accounts and
groups info [not passwords] if you are not using a firewall via a null
session. Go to a site like such as http://scan.sygatetech.com/ to do a self
scan assessment to see if any vulnerabilities are found. I would also make
sure that your computer is current with critical updates from Windows
Updates and is using a virus scan program that can monitor the computer in
live time, is current with virus definition files [they change almost daily]
, and scans all emails. If you have not done so, do a full virus scan on
your computer and also for parasites with AdAware SE as your chance of
infection is high from your description of what is going on. If infections
are found, do not connect to the internet until a firewall is in place and
properly configured. The link below is for free for personal use personal
firewalls such as Zone Alarm that is fairly easy for novices to configure
though I always prefer a hardware device such as a NAT router as the first
line of defense. --- Steve

http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
your pc tips.
http://www.snapfiles.com/Freeware/security/fwfirewall.html
http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
detection and removal tool.
http://www.trendmicro.com/download/pattern.asp -- pattern file for Sysclean
in .zip file.

"Thomas" <email@isin.my.message.com> wrote in message
news:cpira1$hjp$1@ngspool-d02.news.aol.com...
>I have been noticing, after checking Windows 2000's Event Viewer's security
> protocol, that some individual (from the Internet) is attempting to log
> into
> our computer. The attempts --fortunately all failed, so far-- start
> occurring a few minutes after I establish a PPPoE Internet connection, and
> cease after some time. When the attacks begin, they occur for several
> minutes, sometimes every two or three seconds, sometimes every 10-60
> seconds, sometimes just once or twice.
>
> In the Event Viewer, the alerts look like the following one:
>
> The logon to account: <Local account name here>
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: 0WEWCKG1
> failed. The error code was: 3221225578
>
> The error type is 681.
>
> Strangely, the individual basically uses every account available in our
> system. That is, if we have the accounts Administrator, Peter, Thomas,
> Jane,
> then the user attempts to login with one or more of these accounts. How is
> it possible that our full account list is known to someone on the
> Internet?
>
> As the login attempts occur after packets are sent to local port 137
> (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> still
> won't stop. The user still obtains our account list, and the failed logins
> still appear on the Event Viewer security protocol.
>
> What can be done in order to remedy this situation? If the subject
> discovers
> the password for one account, would it be possible for him to eventually
> "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
> that instance, how much access does he actually have, and how much damage
> can he do? In advance, I appreciate any information you can provide.
>
> Regards,
>
> Thomas
>
>

Relevant Pages

  • RE: User accounts behave very differently
    ... When using it on my account for the first time, my Norton internet security ... Firewall popped up and asked if I wawnted the aplication to have internet ... I found out that although it was a admin account, ...
    (microsoft.public.windowsxp.general)
  • Re: Windows XP - computer workgroup
    ... A desktop uses windows XP PRO and a wireless ... They all have Windows firewall active and exception as remote desktop ... With the GUEST user account not active ... start by running the Network Setup Wizard on all machines (see ...
    (microsoft.public.windowsxp.network_web)
  • Re: :: Accessing .Mac mail from within a Corporate Structure ::
    ... In one client company I work for, their corporate firewall prevents anyone ... However, normal Internet access is provided, and Webmail accounts can be ... > I'm currently not able to access my .Mac account while I'm plugged into our ...
    (microsoft.public.mac.office.entourage)
  • Re: Changing folder attributes
    ... With Windows Firewall, this means allowing File/Printer ... put all computers in the same Workgroup. ... Create matching user accounts and passwords on all machines. ... assigned to each user account can be different; ...
    (microsoft.public.windowsxp.general)
  • Re: Multi-Forest Login
    ... Internet ... Firewall ... > 1) What is a Forest Domain? ... > 2) You cannot login to several domains. ...
    (microsoft.public.windows.server.active_directory)