Hack Attempt on Windows 2003 AD Native

[JJ]

Source IPs of machines trying to hack my servers...

80.108.107.98
216.104.175.22
216.60.115.194
65.92.174.189



My servers on the Internet are: 1 DC/Exchange 2003, Sharepoint Portal 2003,
and File Server


Question to you guys...I have a network which I maintain...I review the logs
every other day and noticed that those IPs above were attmpting to hack into
my servers which are on the Internet...

All my machines are Windows 2003.

The funny thing is that when I changed the PASSWORD and renamed the
Administrator account (Domain Admin) - next day, from those source address
they were attempting to connect again but using the NEW Admin account I
created!

How are they finding out or enumerating the Admin account username - because
I renamed it?!

Unfortunately...we do not have a firewall...getting it this weekend...but my
question is not about this (I know I need to PUSH for a firewall ASAP).

 

[Herb Martin]

The Admin account is a well-known SID and so the renaming
(which we all do anyway) is not really a significant security
step (except against the naive hacker who depends on the name.)

 

[Massimo]

Unfortunately...we do not have a firewall...getting it this weekend...but
my question is not about this (I know I need to PUSH for a firewall ASAP).

You could turn on the system firewall in the meantime, can't you?

Massimo

 

[Ryan Hanisco]

JJ,

Instead of renaming the Administrator account, you may consider creating
other Admin accounts and disabling the Administrator account. This will
help. Also, runt he MBSA against your server. If your guest level access
setting allow for enumeration of usernames, it will tell you as well as how
to change them.

Nothing takes the place of a hardware firewall -- and while I'm a Cisco
Nazi, I'll not start that discussion here as to which I'd suggest. I would
recommend that you use whatever kind of router you have and drop all packets
to and from those IP addresses. You might also want to do a WHOIS against
them to get the owner and whole public IP range and block the entire subnet
owned by that owner to stop them from picking a different source address.

Finally, you want to look at the traffic to make sure that what you are
seeing is not a reply from those IPs. Some viruses, trojans, and spyware
will constantly hit external addresses so you'd see external authentication
requests though initiated from your network.

 

[Herb Martin]

JJ,

Instead of renaming the Administrator account, you may consider creating
other Admin accounts and disabling the Administrator account. This will

How do you disable the built-in Administrator account?

 

[Chad Mahoney]

80.108.107.98 ------------chello080108107098.27.11.vie.surfer.at ]

216.104.175.22 --------- TierraNet Inc.

216.60.115.194 ------------- SBC Internet Services - Southwest

65.92.174.189 ---------
SE-Montreal-ppp344563.sympatico.ca ]



Above are the registrants of those IP's... BTW how/why do you think they are
hacking? It could be just a trojan trying to propagate from an infected
PC... If you have a firewall then all is good.


hth,

Chad

 

[johnfli]

the whois on the address:
NetRange: 80.0.0.0 - 80.255.255.255 Amsterdamn
NetRange: 216.104.160.0 - 216.104.191.255 TierraNet Inc. (in San Diego,
CA
NetRange: 216.60.115.192 - 216.60.115.223 Texas Book Company (Dewey)
NetRange: 65.92.128.0 - 65.92.223.255 Nexxia HSE NEXHSE7-CA


Block out the entire range.
I use Sonic Wall for my firewall and never have had a successful breach.
(Knock on wood)

 

[Ryan Hanisco]

Herb,

You can disable the Administrator account through the ADU&C in Server 2003
just as you would a normal account. In my opinion, this should be done as
part of the standard build on any server or domain -- just make sure you
have a surrogate with all permissions before you disable it.

You can also use the following article to get back into your Administrator
account once it has been disabled:
http://support.microsoft.com/default.aspx?scid=kb;en-us;814777

 

[stuartm]

The admin account's SID always ends with 500 so it's easy to spot. There
is also a registry key which can be set which prevents enumerating the
SID, but I can't find it at the moment - perhaps someone else could post it?

S.

 

[Herb Martin]

The admin account's SID always ends with 500 so it's easy to spot. There
is also a registry key which can be set which prevents enumerating the
SID, but I can't find it at the moment - perhaps someone else could post

it?

But the key (problem here) is that the SID of the Admin account
is always the same -- i.e., well known, so that the hacker just
crafts packets (using some tool most likely so he doesn't even
have to really know how to do this) with the Admin SID rather
than the name. -- This is my understanding but I haven't looked
at such code.

The (presumed) reason the Admin SID is always the same is
so that if you install another copy of the OS on the same machine,
the "Admin" (whichever Admin, machine OS1 or OS2 etc) will
have the same access to the files there.

 

[stuartm]

The administrator sid is not always the same but it always ends with
"500". It also always starts with "S-1-5-21-" but it's easier to spot by
the last three digits.

Utilities like psGetSid from Sysinternal's PsTools
(www.sysinternals.com) can easily retrieve the sid for any user on the
system and there are other utilities out there which can map sids to
user accounts.

You can prevent anonymous users being able to run these tools by
enabling the "RestrictAnonymous" key in
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa". At least only
authenticated users will be able to get the SIDS.

S.

 

[Leythos]

Unfortunately...we do not have a firewall...getting it this weekend...but my
question is not about this (I know I need to PUSH for a firewall ASAP).

Even a cheap router with NAT would have saved you. While you should have
a firewall, a NAT device will allow you to access the system remotely
and still provide public services - assuming you don't forward all ports
from public to private.

If you get a firewall, make sure it's a firewall and not some simple NAT
device.

You can also build subnet block lists - I block a large portion of Asia,
France, and other countries because of the probes and attacks.

 

[Massimo]

Unfortunately...we do not have a firewall...getting it this weekend...but
my question is not about this (I know I need to PUSH for a firewall ASAP).

By the way, what's a domain controller doing with a public IP address?
It really shouldn't be there (and having Exchange running on a DC is also to
be avoided, you'll have to wait a lot of time if you ever need to reboot
it).

Massimo

 

[Andrei Ungureanu]

Have you tried to implement an account lockout policy? I think it will help
you in this case. Be very careful if you want to disable the Administrator
account as this account has a special property; you can log on with him from
a domain controller even if the account is locked out. If you create another
admin account and somebody else will find it, he can pretty easy lock it
out.

Get a firewall quickly ... and get rid of the public ip address from the DC.
If you are using the DC for some sort of NAT server ... then change it with
a XP workstation (until wou'll get a firewall)... it's better than exposing
your AD to public internet.


HTH

 

[Leythos]

and having Exchange running on a DC is also to
be avoided, you'll have to wait a lot of time if you ever need to reboot

That's not entirely true - Windows 2000/Exchange 2000, single CPU, 70
users, reboots almost as fast as the non-exchange system when needed.
I've never had a server/exchange that hangs like some people mention.

 

[Herb Martin]

I have seen the slow reboots (shutdowns really) under certain
versions of Exchange but they are easily avoided (after the
first frustrating occurrence) by just explicitly stop the services
with a simple batch file performing the necessary Net Stop's.

 

[stuartm]

Ahh - you are talking about the 10 minute shutdown problem/feature in
Exchange 2003. I have seen this on every Exch2k3 implementation that is
running on DC. This happens quite often with smaller businesses that
can't afford a second server to run Exchange on.

Quote from "http://support.microsoft.com/default.aspx?scid=kb;en-us;875427"

"You may experience slow shutdown times on a domain controller that is
running Exchange. In some scenarios, the domain controller may take 10
minutes or more to shut down. This behavior occurs because the Lsass.exe
service shuts down before the Exchange-related services shut down.
(Lsass.exe is an Active Directory service.) Therefore, the DSAccess
component times out many times before it shuts down.(The DSAccess
component is an Exchange component.) To work around this issue, manually
stop the Exchange-related services before you shut down or restart the
domain controller. Specifically, shut down the information store service
before you restart the domain controller that is running Exchange."


S.

 

[Massimo]

That's not entirely true - Windows 2000/Exchange 2000, single CPU, 70
users, reboots almost as fast as the non-exchange system when needed.
I've never had a server/exchange that hangs like some people mention.

Are there other DCs in your network?

Massimo

 

[Leythos]

Are there other DCs in your network?

In some cases there are three or four other AD servers, in others the
Exchange server. We don't do fe/be in most cases.

 

[Guest]

We have 4 Exchange 2000 servers that are also DC's and a clustered Exchange
2000 server which is a DC and never had a problem like that you've described.
We upgraded them to Windows 2003 Ent Ed about 3 months ago and still no
issues. All running well.
Worldwide we have over 100 Exchange servers, a significant number of them
are also DC's and no adverse effects to speak of.
Mainly where they are combined, it's not a cost issue but one of space and
convenice.