Re: Been hacked about 4 times now. Wanna be the 5th?

---

• From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 8 Jun 2006 11:34:32 -0500

---

It is hard to say if it is enough. It depends on your tolerance for risk. If
it was my server I would rebuild the operating system from scratch. The big
question is how did this happen in the first place and have you taken steps
to minimize that from happening again. Hopefully the server is not used to
browse the internet, open email, etc. Make sure you check the users on the
computer and the membership of privileged groups and do so on a regular
basis and carefully monitor the security logs. If it was an ftp server it
sounds like there is no firewall being used or it is improperly
onfigured. --- Steve


"drnope" <no@xxxxxxxxxxx> wrote in message
news:23Yhg.133998$F_3.84441@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Well got my fitrst attack last night, someone put a ftp server on my win2k
server box.
I removed the inherited permissions on the dir he created
I changed all my passwords and stopped remote access..
Is this enough ?

I have serviced packed and updated this macnine to death...



"Tony K" <king-tony2@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23xOJwjqhGHA.1856@xxxxxxxxxxxxxxxxxxxxxxx

Windows Server 2003


I know how they are getting in to my system, I just don't know HOW!!

I have several events in my Security Log that shows ip address from
Queensland Australia, Amsterdam, etc. that have actually logged in. I
know how they are accessing my system and that is through Remote Desktop.
I just don't know HOW they are doing it because all passwords for my
users (which are 2... Administrator and Me) are about 12 characters long
using numbers, letters, and even characters. I know that by leaving RD
port open, I am vulnerable to attacks like this, but I frequently access
my server from remote areas. I have a linksys router between my cable
modem and entire network, but it is irritating to have to enable the
port, do my business, then disable the port all through the web interface
of my router.

My issue now is I cannot delete user "lovy$" and when I attempt, I get
this error.

"The following error occurred while attempting to delete the user lovy:
The user does not belong to this group."

I'm logged in under Admin and yet I cannot delete the user?? What the
f***?

Here are several of the logs. The top half is as recent as 5-30, the
bottom half is last month from a DIFFERENT user. Can anyone determine
HOW they are getting my passwords or how they are accessing my machine
allowing them to create user names?

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: lovy$
Source Workstation: KINGSERVER2000
Error Code: 0x0


Logon attempt using explicit credentials:
Logged on user:
User Name: KINGSERVER2000$
Domain: KING
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: lovy$
Target Domain: KINGSERVER2000
Target Logon GUID: -

Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 4016
Source Network Address: 221.221.221.37
Source Port: 65033

Successful Logon:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: KINGSERVER2000$
Caller Domain: KING
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4016
Transited Services: -
Source Network Address: 221.221.221.37
Source Port: 65033


Special privileges assigned to new logon:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Privileges: SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege


User Logoff:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Logon Type: 10


Session reconnected to winstation:
User Name: Administrator
Domain: KINGSERVER2000
Logon ID: (0x0,0xCF9341)
Session Name: RDP-Tcp#15
Client Name: SL
Client Address: 221.221.221.37


User initiated logoff:
User Name: Administrator
Domain: KINGSERVER2000
Logon ID: (0x0,0xcf9341)





******************************************
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: IUSR_KINGSERVER2000
Source Workstation: KINGSERVER2000
Error Code: 0x0


Successful Network Logon:
User Name: IUSR_KINGSERVER2000
Domain: KINGSERVER2000
Logon ID: (0x0,0x16CD7BD)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 2936
Transited Services: -
Source Network Address: -
Source Port: -



**********************************************
Logon attempt using explicit credentials:
Logged on user:
User Name: KINGSERVER2000$
Domain: KING
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: mike
Target Domain: KINGSERVER2000
Target Logon GUID: -

Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 608
Source Network Address: 221.221.218.61
Source Port: 61953


Successful Logon:
User Name: mike
Domain: KINGSERVER2000
Logon ID: (0x0,0x2FA0BE)
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: KINGSERVER2000$
Caller Domain: KING
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 608
Transited Services: -
Source Network Address: 221.221.218.61
Source Port: 61953

.

---

• Follow-Ups:
  • Re: Been hacked about 4 times now. Wanna be the 5th?
    • From: drnope

• References:
  • Been hacked about 4 times now. Wanna be the 5th?
    • From: Tony K
  • Re: Been hacked about 4 times now. Wanna be the 5th?
    • From: drnope

• Prev by Date: Re: please help
• Next by Date: Re: Been hacked about 4 times now. Wanna be the 5th?
• Previous by thread: Re: Been hacked about 4 times now. Wanna be the 5th?
• Next by thread: Re: Been hacked about 4 times now. Wanna be the 5th?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ISA SERVER NOT STARTING ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Event ID 529 ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ... (microsoft.public.windows.server.sbs) Re: Another security question/issue. ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ... (microsoft.public.windows.server.sbs) Re: Logon 529 Errors ... Default SMTP Virtual Server properties-Access tab-Relay ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ... (microsoft.public.windows.server.sbs) Re: Logon 529 Errors ... connection has been found on the black list, my DNS server ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)