Hack Attempt on Windows 2003 AD Native

G

Guest

JJ said:
Source IPs of machines trying to hack my servers...

80.108.107.98
216.104.175.22
216.60.115.194
65.92.174.189



My servers on the Internet are: 1 DC/Exchange 2003, Sharepoint Portal 2003,
and File Server


Question to you guys...I have a network which I maintain...I review the logs
every other day and noticed that those IPs above were attmpting to hack into
my servers which are on the Internet...

All my machines are Windows 2003.

The funny thing is that when I changed the PASSWORD and renamed the
Administrator account (Domain Admin) - next day, from those source address
they were attempting to connect again but using the NEW Admin account I
created!

How are they finding out or enumerating the Admin account username - because
I renamed it?!

Unfortunately...we do not have a firewall...getting it this weekend...but my
question is not about this (I know I need to PUSH for a firewall ASAP).
Click to expand...


You could also created an IPSec policy on your domain controller and block
all traffice from the suspect ip addresses. This is something that, until
you do have a firewall, would help.
 
P

Pablo E. Colazurdo

They may be using LDAP queries ... you should create IPSec policies in the
meantime.

P.
 
G

Guido G

btw, rgd. the question "how do the hackers find my renamed Admin account":
they don't care about the name - they simply go by SID, as the default
administrator account of any Windows machine (includes DCs) has "well known
SID" (ends with 500).

You could help yourself some more if you run Windows Server 2003 - here you
can _disable_ the default Admin account (not possible in Win2000 or NT4).
Naturally, before you do this, you'll want to create a new Admin account and
name it to whatever suits you. You might also want to create a new
"Adminsitrator" account without admin rights (simple user with a complex
password) - this way you can keep monitoring hack-attempts at the
Administrator account (hackers will still use the name, if the SID doesn't
work...)

/Guido
 
D

DM

You probably already figured this, but you might want to make sure you run
virus scan software currently and after the firewall or IPSec policy is
implemented to make sure there isnt malicious software on there as well. I
was in the similar circumstance with my co-location server and it was
infected within 3 days.

-DM
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LinuxForums.org Hack Exposes 276,000 User Accounts 1
Hacking suprise, so beef up your protection 0
W2K AD Domain issues, migration and rename native mode 3
W2003 DC in a 2000 Native AD 3
AD restore questions 5
Cannot see AD 1
Security Breach in AD W/2000 Server 4
Viruses and Hack Tools on Windows XP 1

Top