Re: Have I been hacked Windows Server 2003?

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 09/12/04


Date: Sun, 12 Sep 2004 11:45:38 +0200

Hi,

I can't tell you how these files got on your system. Could e.g. one of the
students install a keyloger on one of your system where you logon with
administrator password? If you somehow restrict installation of keyloger
software, this will not also prevent use of hardware keylogers (attached
between the keyboard and computer).

What I know is that VNC only encrypts password, but everything else between
your VNC client and VNC controlled server is sent in clear text unless you
use it over VPN.

>From VNC website

***
Is VNC secure?
The only really secure computer is one without a network. VNC requires a
password when a viewer tries to connect to a server. This password is
encrypted to deter snooping, but the following graphical data, the VNC
protocol, is not. In many ways, VNC is more secure than remote login
programs such as telnet where the password is and the following data are
sent in the clear as ascii characters. Many people find it perfectly
acceptable to use VNC like this behind a corporate firewall, across a VPN,
or between computers within the home. However, if the computer or network is
connected to the internet, we strongly advise the use of additional
security. See how to make VNC secure using SSH. You might want to know how
to use VNC with a firewall.
***

E.g. Terminal Service connection uses 128 bit encryption all the time not
just to send username and password from client to the server.

9 characters long password is not necessary secure. Windows 2000 or newer
supports password up to 128 characters. Unless you changed this in registry
your passwords are still stored as LM Hash. Recently I did an audit of
passwords for a client. We took 450 password hashes (LM Hashes) and less
then 6 hours later we had 400 passwords.
Use pass phrase longer then 14 characters (passwords longer then 14
characters are automatically stored as NTLM Hash). You could e.g. use pass
phrase "Only now I really use a secure password!" You could even do it like
this "0nly now 1 rea11y use a s3cur3 p@55w0rd!" This password is 40
characters long and I don't think it is hard to remember...

You could do some additional tests of your passwords. Download a tool from
the internet called pwdump2 (You can find it with Google). Dump your
password hashes and find administrator password. Then visit this site
http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/ and paste your current
hash in the box on this site. Click submit Hash and wait for a moment and
see if your password was secure. (Change your password after you run this
test!)
How to prevent Windows from storing a LAN manager hash of your password in
Active Directory and local SAM databases
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656&Product=winsvr2003

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Mike

"Dominic Maricic" <elmo@goosemoose.com> wrote in message
news:79763cd0.0409112356.4eb6d985@posting.google.com...
> I am running Windows 2k3 will all the updates. I ran a program today
> to find out why I was missing so much space on my hd and found that
> inside c:\system
volume\information\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\.new
> are two folders: Yu-Gi-Oh.TELESYNC.Line.Dubbed.German.SVCD-CiNTAX and
> Wie.ein.einziger.Tag.SCREENER.MD.German.VCD-ARMAGEDDON. Inside both of
> these folders are rar files making up both of these cds. The problem
> is I didnt put these there!! I have never seen them before.
>
> One folder is dated 9/4/2004 the other is dated 9/5/2004 (I didnt work
> either day,weekend!), neither folder is shared, nor is anything above
> it. Security shows administrators (only me), creator owner and system
> have access.
>
> I am running ISA Server pretty strictly as well as Norton Corporate
> 9.0 (just updated yesterday from 8.0).
>
> I know that this folder is used as a system restore and I have seen a
> few articles stating that this folder might be used as a network
> recycle bin (is this possible)?
>
> The only thing I can think of is that I am running VNC and Citrix and
> maybe one of them has a security flaw? I believe both are the most
> recent version. My administrator password is not guessable as it is 9
> numbers and letters mixed.
>
> Anyone have any Ideas? This is a school network with 5 servers, all
> running windows 2003. There are over 120 workstations that both
> teachers and students use. I can't think of any way to try and track
> how those files got there.



Relevant Pages

  • RE: How secure is a password and how many characters does it allow?
    ... How secure is a password and how many characters does it ... You say that adduser uses DES, while the system defaults to MD5. ... it was stated that the Blowfish hash is faster. ...
    (FreeBSD-Security)
  • Re: password vs passphrase
    ... it still depends on what password is and what pass phrase is... ... e.g. my password could be "P@assw0rd1234", would you consider this secure ... they are stored as LM Hash (by default for any ... password shorter then 14 characters) and as such vulnerable to cracking ...
    (microsoft.public.win2000.security)
  • RE: PCanywhere: security of it and operation over DSL/cable modem s
    ... I work for Expertcity, the company that makes GoToMyPC, so you might want to ... Subject: PCanywhere: security of it and operation over DSL/cable ... then x-forwarding the *nix version of VNC that connects to the windows ... that's less secure again. ...
    (Security-Basics)
  • Re: Remote access solution
    ... >I've always recommended tunneling the whole VNC session through some type ... Actually, I don't think even the initial authentication is secure, you ... I'd say tacking a vpn on top would be a good idea. ...
    (Security-Basics)
  • RE: SecureIIS
    ... When using VNC, I always setup an SSH daemon on the server. ... Then I use these registry settings to make VNC secure: ... This way, the client connects via SSH, then port forwards the VNC port ...
    (Focus-Microsoft)