Help attempting to get hacked?

[John]

Hello,

We just went for NT 4.0 to win2k and running all current SP and
security patches. The users have been getting locked out all of the sudden.
I thought it was due to the misconfiguration of the DNS on the DC however I
looked at the security event log and found multiple entries like the one
below. This machine name is not even on our network. How can I prevent this
from happening as it seems someone is trying to get our users password for
access. How are they able to get into our LAN? Could this be generated when
someone is trying to get into our FTP? Thanks in advance..

John

 

[Terese]

You said "like below" ... did you forget to attach something?

 

[Steven L Umbach]

John. Go to http://scan.sygatetech.com/ and scan from your network. It
sounds like you may have some vulnerable ports open to the internet - 139,
445, or ? If you find that, you need to either get a firewall or check the
configuration of yours. Double check that file and print sharing is not
enabled on any of your nics connected directly to the internet. -- Steve

 

[Karl Levinson [x y] mvp]

Do you have a firewall? If you don't, then anyone can lock out your users
and start guessing passwords from the internet.

You can't get the IP address of the machine without a third party product
such as a firewall or sniffer. There are even free ones:

http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#sniffer

I recommend using some of the software above to see what is going on, from
where. If you do have a firewall, a compromised roaming laptop, remote user
or VPN connection could be other sources.

 

[John]

WE are behind a Cisco router using NAT so I am confused on how they can even
get to the computer. It does host the VPN but I see people trying to trying
users names now (by looking at the event log) and there is no connections
being showed in the VPN. We have the latest updates so I am concerned on how
someone could even get our user names to try....

Do you have a firewall? If you don't, then anyone can lock out your users
and start guessing passwords from the internet.

You can't get the IP address of the machine without a third party product
such as a firewall or sniffer. There are even free ones:

http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#sniffer

I recommend using some of the software above to see what is going on, from
where. If you do have a firewall, a compromised roaming laptop, remote user
or VPN connection could be other sources.

Hello,

We just went for NT 4.0 to win2k and running all current SP and
security patches. The users have been getting locked out all of the sudden.
I thought it was due to the misconfiguration of the DNS on the DC

however

I
looked at the security event log and found multiple entries like the one
below. This machine name is not even on our network. How can I prevent this
from happening as it seems someone is trying to get our users password for
access. How are they able to get into our LAN? Could this be generated when
someone is trying to get into our FTP? Thanks in advance..

John

 

[John]

Steven,

I went to the site http://scan.sygatetech.com/ and the only info it
could get was the public ip. I have also stopped the VPN and FTP(which is on
another computer) and I still get the messages in the security log. Any
ideas on how they are able to get past our router, which is using NAT, and
able to get to this DC?

John

 

[Steven L Umbach]

OK. I went back and looked at your log entry about an account being locked
out. I have a question. Are you getting a lot of Event ID's 529 in your
security log that indicate unkown user name or password or Event ID's 681
that indicate failed domain account logon? They would give us more info.
What operating system are the workstations using? Run dcdiag /v on the
domain controller looking for any errors. --- Steve

 

[Karl Levinson [x y] mvp]

Then you install a sniffer or firewall on the local host doing the
authentication [e.g. I would think this would be every domain controller]
and correlate the firewall log entries with the windows security log entries
to determine the IP address where these are coming from. That then helps
you determine where they're from.

A sniffer might be safer for domain controllers, as you dont want to do
packet filtering willy nilly on your DC, and I once had Sygate screw up a
domain controller and I had to remove the registry entries for the IP stack
after rebooting into Directory Services recovery mode, very scary stuff to
go through. Or, if you want to be really safe, put an inexpensive hardware
firewall device like www.linksys.com or www.netgear.com starting around $75
in front of the DC and use syslog such as the free www.kiwisyslog.com to
capture the logs from the firewall. Probably not as good as a sniffer as
the logs from an entry level linksys are very basic and hard to decipher on
a busy DC, and you might need one for each DC to do it right, but on the
other hand, this shouldn't require installing new software on your DC.

WE are behind a Cisco router using NAT so I am confused on how they can even
get to the computer. It does host the VPN but I see people trying to trying
users names now (by looking at the event log) and there is no connections
being showed in the VPN. We have the latest updates so I am concerned on how
someone could even get our user names to try....

Do you have a firewall? If you don't, then anyone can lock out your users
and start guessing passwords from the internet.

You can't get the IP address of the machine without a third party product
such as a firewall or sniffer. There are even free ones:

http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#sniffer

I recommend using some of the software above to see what is going on, from
where. If you do have a firewall, a compromised roaming laptop, remote user
or VPN connection could be other sources.

Hello,

We just went for NT 4.0 to win2k and running all current SP and
security patches. The users have been getting locked out all of the sudden.
I thought it was due to the misconfiguration of the DNS on the DC

however

I
looked at the security event log and found multiple entries like the one
below. This machine name is not even on our network. How can I prevent this
from happening as it seems someone is trying to get our users password for
access. How are they able to get into our LAN? Could this be generated when
someone is trying to get into our FTP? Thanks in advance..

John

 

[John]

Steve,

All of them are 644 and 642 events. It seems to be when we are running
the VPN under routing and remoting as when I stop that service none of the
events are triggered. Did I miss setting something up for the VPN? Thanks in
advance.

John

 

[Steven L Umbach]

Hi John. I have been follwing the thread and have a few questions. You say
you are using a Cisco NAT device that is also doing your vpn, but the you
indicate that you are also using a W2K rras vpn? Are you auditing account
logon and logon events for failuers and if so are you seeing a lot of failed
logons from machines not on your network in the security logs on the domain
controllers and servers sharing resources? The Event ID's you mention are
recording account lockouts - not logon failures which would give additional
info. If you are using a W2K rras server for vpn, make sure file and print
sharing is disabled/uninstalled on the nic directly connected to the
internet. If your rras servers are all W2K, go to Active Directory Users and
Computers and in the Pre -Windows 2000 Compatible Access built in group make
sure that the everyone group is removed from membership in that group.

You mentioned that this all happened right after a change over to a W2K
domain controller. Just to rule out multiple issues, run first netdiag on
the domain controller and then dcdiag on it looking for any errors. Then run
netdiag on a workstation. Make absolute sure that none of your W2K domain
computers point to an ISP dns server in their tcp/ip properties - only
domain controllers running dns and that the domain controllers point only to
themselves by their configured tcp/ip address.

Itr would be a good idea to find out exactly how many public address you
have connected to the internet and then scan each address for
vulnerabilities. There are may free scanning tools such as Supercan
available for download. You could also try using Netmon available on W2K
servers to capture some network traffic. There will be a lot of entires in
the capture, but you can scan them fairly quickly looking for non lan
addresses trying to access ports 139 and 445. --- Steve