Vulnerability exposing user name for the accounts?

[Amin Mohadjer]

Last night someone tried to break into my Windows 2000 server by
trying all the user accounts. He did not go far as I had the account
policy set to locking out on 3 tries but I am puzzled as to how the
hacker obtained the user name for accounts since this wasn't a case of
blind dictionary attack. He only tried the accounts that existed on
the box, no less, no more (IUSR_COMPUTERNAME, IWAM_COMPUTERNAME,
guest, administrator).

I am concerned. What do you suggest I should do? I ran NAV and it did
not find any virus or worm.

Has anyone heard of a vulnerability such as this? Right now I am
up-to-date on patches but perhaps I caught up with one too late to had
closed the door in time.

Regards
Amin

P.S. Please remove no_spam_555_ from the email address if replying
directly.

 

[Amin Mohadjer]

I do have a LinkSys BEFSR41 router/firewall, sorry for forgetting to
mention it in the original posting. All ports with the exception of
80, 21, and 8080 were blocked (I verified this on www.grc.com).

I checked both FTP and W3C logs and the intrusion attemps didn't come
from there. I did not have the logging enabled for LinkSys so I cannot
say the same for port 8080.

Here is what I got in my event log (hundreds of such entries in a
timespan of 30 seconds, trying all the accounts on my machine):

8/23/2003 9:21:16 AM Security Failure Audit
Logon/Logoff 539 NT AUTHORITY\SYSTEM WEBSERVERONE "Logon
Failure:
Reason: Account locked out
User Name: IUSR_WEBSERVERONE
Domain: NAN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: NAN"

8/23/2003 9:21:16 AM Security Failure Audit
Account
Logon 681 NT AUTHORITY\SYSTEM WEBSERVERONE The logon to
account: IUSR_WEBSERVERONE
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: NAN
failed. The error code was: 3221226036

Again, the intruder only attempted the accounts that existed on my
box, he had somehow obtained a list of them. It wasn't a blind attack.

 

[Steven Umbach]

The accounts you list are all default accounts on a W2K installation with
the exception of the computer name for the IUSR_ and IWAM_ accounts , but those
accounts are used for anonymous access to web/ftp and the computer name could be
determined from website address. Possibly someone is trying to gain access to
folders/files through web/ftp access that should not be accessible to anonymous
access because of directory security authentication requirements or ntfs
permissions. If you have the intruders ip address in your W3C logs, you may want
to add it to the restricted ip address list in directory security/ip address and
domain name restrictions. If you have not done so, I would recommend running the
IIS lockdown tool on your server. You might also want to post on a win2000.IIS
newsgroup. --- Steve

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.a
sp