Re: Apparent NetBIOS Attack - How Dangerous?

From: Thomas (email_at_isin.my.message.com)
Date: 12/13/04 

Date: Mon, 13 Dec 2004 15:53:56 -0300

Thank you for your reply. That the computer may be infected with some sort
of trojan passed my mind. I performed a full system scan for viruses,
trojans, etc. Fortunately, the scan didn't find anything critical.

It seems like I overestimated Windows 2000's default security. I have since
added some IPSec port filters in order to take care of the NetBIOS problem.

Regards,

Thomas

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> schrieb im Newsbeitrag
news:N48vd.561658$D%.181906@attbi_s51...
> Are you using a firewall such as a personal firewall or a hardware
device -
> even a cheap NAT router?? If not, then you need one and yes they could
> connect if they discovered a user's password if you do not have a properly
> configured firewall. Windows 2000 will still use port 445 TCP for file and
> print sharing if NBT is disabled. It is trivial to obtain user accounts
and
> groups info [not passwords] if you are not using a firewall via a null
> session. Go to a site like such as http://scan.sygatetech.com/ to do a
self
> scan assessment to see if any vulnerabilities are found. I would also make
> sure that your computer is current with critical updates from Windows
> Updates and is using a virus scan program that can monitor the computer in
> live time, is current with virus definition files [they change almost
daily]
> , and scans all emails. If you have not done so, do a full virus scan on
> your computer and also for parasites with AdAware SE as your chance of
> infection is high from your description of what is going on. If infections
> are found, do not connect to the internet until a firewall is in place and
> properly configured. The link below is for free for personal use personal
> firewalls such as Zone Alarm that is fairly easy for novices to configure
> though I always prefer a hardware device such as a NAT router as the first
> line of defense. --- Steve
>
> http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
> your pc tips.
> http://www.snapfiles.com/Freeware/security/fwfirewall.html
> http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
> detection and removal tool.
> http://www.trendmicro.com/download/pattern.asp -- pattern file for
Sysclean
> in .zip file.
>
> "Thomas" <email@isin.my.message.com> wrote in message
> news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> >I have been noticing, after checking Windows 2000's Event Viewer's
security
> > protocol, that some individual (from the Internet) is attempting to log
> > into
> > our computer. The attempts --fortunately all failed, so far-- start
> > occurring a few minutes after I establish a PPPoE Internet connection,
and
> > cease after some time. When the attacks begin, they occur for several
> > minutes, sometimes every two or three seconds, sometimes every 10-60
> > seconds, sometimes just once or twice.
> >
> > In the Event Viewer, the alerts look like the following one:
> >
> > The logon to account: <Local account name here>
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: 0WEWCKG1
> > failed. The error code was: 3221225578
> >
> > The error type is 681.
> >
> > Strangely, the individual basically uses every account available in our
> > system. That is, if we have the accounts Administrator, Peter, Thomas,
> > Jane,
> > then the user attempts to login with one or more of these accounts. How
is
> > it possible that our full account list is known to someone on the
> > Internet?
> >
> > As the login attempts occur after packets are sent to local port 137
> > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> > still
> > won't stop. The user still obtains our account list, and the failed
logins
> > still appear on the Event Viewer security protocol.
> >
> > What can be done in order to remedy this situation? If the subject
> > discovers
> > the password for one account, would it be possible for him to eventually
> > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
> > that instance, how much access does he actually have, and how much
damage
> > can he do? In advance, I appreciate any information you can provide.
> >
> > Regards,
> >
> > Thomas
> >
> >
>
>

Relevant Pages

  • RE: User accounts behave very differently
    ... When using it on my account for the first time, my Norton internet security ... Firewall popped up and asked if I wawnted the aplication to have internet ... I found out that although it was a admin account, ...
    (microsoft.public.windowsxp.general)
  • Re: Apparent NetBIOS Attack - How Dangerous?
    ... Are you using a firewall such as a personal firewall or a hardware device - ... that some individual (from the Internet) is attempting to log ... the individual basically uses every account available in our ... > then the user attempts to login with one or more of these accounts. ...
    (microsoft.public.win2000.security)
  • Re: :: Accessing .Mac mail from within a Corporate Structure ::
    ... In one client company I work for, their corporate firewall prevents anyone ... However, normal Internet access is provided, and Webmail accounts can be ... > I'm currently not able to access my .Mac account while I'm plugged into our ...
    (microsoft.public.mac.office.entourage)
  • Re: Workgroup Setup
    ... Hey Steve thanks again for replying, the firewall will not help you if a PC ... thing that will stop the infection is an anti-virus pgm. ... the internet from this PC they will be covered by the same firewall correct? ... that come from other computers in your own network). ...
    (microsoft.public.windowsxp.network_web)
  • Re: Im a refugee from windows
    ... >> It took all of 2 minutes to set up and connect to the Internet, ... >> But the one thing I can't do is ensure that the firewall is on. ... > 1) Mac OS X comes reasonably securely set up, ... > has most services switched off, and the root account is not enabled. ...
    (comp.sys.mac.system)