Re: Been hacked about 4 times now. Wanna be the 5th?
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 15 Jun 2006 23:10:09 -0500
So you mean your firewall blocks all outbound access other than to port 80
from your computer? If that is the case it does not make sense that other
users can logon to your server. I would go to one of the self scan sites
such as http://scan.sygatetech.com/ to see if it shows your firewall is
protecting your network as expected. If possible use a firewall that can
block all outbound access other than those ports you authorize which
probably does not need to be many. Also be sure too run the free Microsoft
Baseline Security Analyzer that can check for basic vulnerabilities
including for IIS. For Windows 2000 you want to use IIS Lockdown/URLScan to
lockdown your server. --- Steve
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
"drnope" <no@xxxxxxxxxxx> wrote in message
news:b_Yhg.112301$dW3.104845@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1 thank you for looking and replying
No no email configured, did use broweser once to dowload my virus software
he did try to put a virus on the machine but the viurs sft deleted it.
the firewall is in my modem .. its only set to allow a web server.
nothing else ..
I do monitor accounts and logs.. but never get ay type or security log to
view.
its not a domain controller
Dave
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u9xBslxiGHA.4660@xxxxxxxxxxxxxxxxxxxxxxx
It is hard to say if it is enough. It depends on your tolerance for risk.
If it was my server I would rebuild the operating system from scratch.
The big question is how did this happen in the first place and have you
taken steps to minimize that from happening again. Hopefully the server
is not used to browse the internet, open email, etc. Make sure you check
the users on the computer and the membership of privileged groups and do
so on a regular basis and carefully monitor the security logs. If it was
an ftp server it sounds like there is no firewall being used or it is
improperly onfigured. --- Steve
"drnope" <no@xxxxxxxxxxx> wrote in message
news:23Yhg.133998$F_3.84441@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Well got my fitrst attack last night, someone put a ftp server on my
win2k server box.
I removed the inherited permissions on the dir he created
I changed all my passwords and stopped remote access..
Is this enough ?
I have serviced packed and updated this macnine to death...
"Tony K" <king-tony2@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23xOJwjqhGHA.1856@xxxxxxxxxxxxxxxxxxxxxxx
Windows Server 2003
I know how they are getting in to my system, I just don't know HOW!!
I have several events in my Security Log that shows ip address from
Queensland Australia, Amsterdam, etc. that have actually logged in. I
know how they are accessing my system and that is through Remote
Desktop. I just don't know HOW they are doing it because all passwords
for my users (which are 2... Administrator and Me) are about 12
characters long using numbers, letters, and even characters. I know
that by leaving RD port open, I am vulnerable to attacks like this, but
I frequently access my server from remote areas. I have a linksys
router between my cable modem and entire network, but it is irritating
to have to enable the port, do my business, then disable the port all
through the web interface of my router.
My issue now is I cannot delete user "lovy$" and when I attempt, I get
this error.
"The following error occurred while attempting to delete the user lovy:
The user does not belong to this group."
I'm logged in under Admin and yet I cannot delete the user?? What the
f***?
Here are several of the logs. The top half is as recent as 5-30, the
bottom half is last month from a DIFFERENT user. Can anyone determine
HOW they are getting my passwords or how they are accessing my machine
allowing them to create user names?
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: lovy$
Source Workstation: KINGSERVER2000
Error Code: 0x0
Logon attempt using explicit credentials:
Logged on user:
User Name: KINGSERVER2000$
Domain: KING
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: lovy$
Target Domain: KINGSERVER2000
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 4016
Source Network Address: 221.221.221.37
Source Port: 65033
Successful Logon:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: KINGSERVER2000$
Caller Domain: KING
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4016
Transited Services: -
Source Network Address: 221.221.221.37
Source Port: 65033
Special privileges assigned to new logon:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Privileges: SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
User Logoff:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Logon Type: 10
Session reconnected to winstation:
User Name: Administrator
Domain: KINGSERVER2000
Logon ID: (0x0,0xCF9341)
Session Name: RDP-Tcp#15
Client Name: SL
Client Address: 221.221.221.37
User initiated logoff:
User Name: Administrator
Domain: KINGSERVER2000
Logon ID: (0x0,0xcf9341)
******************************************
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: IUSR_KINGSERVER2000
Source Workstation: KINGSERVER2000
Error Code: 0x0
Successful Network Logon:
User Name: IUSR_KINGSERVER2000
Domain: KINGSERVER2000
Logon ID: (0x0,0x16CD7BD)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 2936
Transited Services: -
Source Network Address: -
Source Port: -
**********************************************
Logon attempt using explicit credentials:
Logged on user:
User Name: KINGSERVER2000$
Domain: KING
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: mike
Target Domain: KINGSERVER2000
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 608
Source Network Address: 221.221.218.61
Source Port: 61953
Successful Logon:
User Name: mike
Domain: KINGSERVER2000
Logon ID: (0x0,0x2FA0BE)
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: KINGSERVER2000$
Caller Domain: KING
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 608
Transited Services: -
Source Network Address: 221.221.218.61
Source Port: 61953
.
- References:
- Been hacked about 4 times now. Wanna be the 5th?
- From: Tony K
- Re: Been hacked about 4 times now. Wanna be the 5th?
- From: drnope
- Re: Been hacked about 4 times now. Wanna be the 5th?
- From: Steven L Umbach
- Re: Been hacked about 4 times now. Wanna be the 5th?
- From: drnope
- Been hacked about 4 times now. Wanna be the 5th?
- Prev by Date: Re: restrict administrator to access system without my permission through rdp
- Next by Date: Re: How do I deal with remote non domain PC's
- Previous by thread: Re: Been hacked about 4 times now. Wanna be the 5th?
- Next by thread: Re: Been hacked about 4 times now. Wanna be the 5th?
- Index(es):
Relevant Pages
|
