Being hacked...

  • Thread starter Thread starter Anne Robynn
  • Start date Start date
A

Anne Robynn

For the past week every morning at around the same time we get
attacked twice, a few hours apart. All our accounts are being locked
out. I figured we were under attack, but nothing I have done has kept
this hacker out, nor have the attacks dimminished.

I have searched for a solution everywhere including these newsgroups
here at groups.google.

Here's what I've got, and what I've done. I need suggestions on how to
stop these attacks.

What I've got:
1. 3 Servers both windows 2000, all with service pack 4
2. Two are DCs, one is a Citrix server. We are running exchange server
on one of the DCs.
3. I have a PIX firewall, all Netbios ports are closed. Pretty much
only what we need is open. 3389 is open for remote desktop... could
this be the problem?
4. We are running the AD, and force Kerberos authentication
5. account lockout is set at 3 bad logon attempts
6. I have the accounts locked out forever

What I've done:
1. I've installed an event log analyzer to help with event log
analysis and alerts. I have it notify me when lock outs occur, when
anyone accesses what they shouldn't, and when files are being
accessed.
2. I have the event log set large and doesn't overwrite its self
3. I see 629, 630, 681, you name it I got it.
4. I saw an NTVDM showing up on all the servers, so I disabled NTVDM
usages.
5. During the attacks, I see a machine name appear that is not one of
my own. I can't ping it, pstools can't identify it, I don't know how
to get it off the system.
6. are we really being attacked twice, or is the directory replicating
the lock outs while we are unlocking, causing both DC to show locked
out?
7. The guest account is disabled
8. Iwam Iusr, keep getting targeted too, why do I need these?
Exchange? Citrix?
9. I've scanned with LADS to check for alternate data streams.
10. I've scanned for files that shouldn't be there
11. I've disabled any accounts we don't need
12. I changed the admin password just to be sure

I can't turn off the Internet connection. Our work requires it.

I don't know what else to do. How do I keep them off? How do I tell if
they're even there and this isn't just a script running? How do I tell
where the script is and get it off? I don't know what else to lock
down.

Any help will be greatly appreciated.

Thank you,
Anne
 
You sound a litle vauge on your firewall protection. Hopefully you are using
a block all default rule and then allowing only authourized inbound traffic.
I would try to scan your network yourself from the outside or use a self
scan site such as http://scan.sygatetech.com/ if you can not do that right
away. You need to make sure other uneeded ports including port 445 are
closed. The fact that ALL your accounts are locked out tells me that either
someone enumerated your user accounts from the internet, from inside your
network, or possibly they gained access via Remote Desktop to a regular user
account and are now trying to gain a stronger foothold on the network. If
possible restrict access to port 3389 from only authorized public IP
addresses instead of "all". the strange computer you see probably is coming
from the internet, but could possibly [though probably unlikely] be an
internal attack from someome pluffing into your network. You may not be able
to to ping that computer but if you check the computer where the log entries
were found then possibly running nbtstat -r or arp -a may show an IP
address, but those entries do not stay in the cache long. Better yet examine
your firewall logs to see if you can pin down where these attacks are coming
from by comparing entries in the logs to failed logons to your computers
based on correlating times. You may also need to enable auditing of logon
events for at least failures on all of your computers to find out where
these attacks are coming from. You can scan the security logs of multiple
computers using Event Comb from Microsoft. See the link below on where to
get it and tips for tracking down account lockout problems. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&displaylang=en
 
For the past week every morning at around the same time we get
attacked twice, a few hours apart. All our accounts are being locked
out. I figured we were under attack, but nothing I have done has kept
this hacker out, nor have the attacks dimminished.

I have searched for a solution everywhere including these newsgroups
here at groups.google.

Here's what I've got, and what I've done. I need suggestions on how to
stop these attacks.

What I've got:
1. 3 Servers both windows 2000, all with service pack 4
2. Two are DCs, one is a Citrix server. We are running exchange server
on one of the DCs.
3. I have a PIX firewall, all Netbios ports are closed. Pretty much
only what we need is open. 3389 is open for remote desktop... could
this be the problem?
4. We are running the AD, and force Kerberos authentication
5. account lockout is set at 3 bad logon attempts
6. I have the accounts locked out forever

What I've done:
1. I've installed an event log analyzer to help with event log
analysis and alerts. I have it notify me when lock outs occur, when
anyone accesses what they shouldn't, and when files are being
accessed.
Click to expand...

And does it? Have you enabled auditing?
2. I have the event log set large and doesn't overwrite its self
3. I see 629, 630, 681, you name it I got it.
Click to expand...

Have you looked at the events for the source?
4. I saw an NTVDM showing up on all the servers, so I disabled NTVDM
usages.
5. During the attacks, I see a machine name appear that is not one of
my own. I can't ping it, pstools can't identify it, I don't know how
to get it off the system.
Click to expand...

When you look in your firewall logs what do you see?
6. are we really being attacked twice, or is the directory replicating
the lock outs while we are unlocking, causing both DC to show locked
out?
7. The guest account is disabled
8. Iwam Iusr, keep getting targeted too, why do I need these?
Exchange? Citrix?
Click to expand...

IIS. Your web server (and Outlook web access if you use it). If you
don't run a web server, then uninstall IIS and remove the accounts.
9. I've scanned with LADS to check for alternate data streams.
10. I've scanned for files that shouldn't be there
11. I've disabled any accounts we don't need
12. I changed the admin password just to be sure

I can't turn off the Internet connection. Our work requires it.

I don't know what else to do. How do I keep them off? How do I tell if
they're even there and this isn't just a script running? How do I tell
where the script is and get it off? I don't know what else to lock
down.
Click to expand...

Might start by enabling auditing on logons and see what shows in the
event log. Looking at your firewall logs might help as well, at least
to show the origin. If it's from a single IP, block that IP in your
firewall.

Jeff
 
Thanks for your suggestions.

The scan on the firewall showed on FTP, POP3 and HTTP open. But it was
strange, becaue when I used one tool it told me all the Netbios ports
(135, 137-139) were closed, but another scan told me they were open.
When I check the firewall its self, it shows that they are not open.
What's up with that?

Here is a sample of the audit log.

Notice the workstation name. It is not one of ours. Notice it says
NtLmSsp, but I went into the default domain policy and told it to only
accept Kerberos.

Event Origin Details:
User SID: S-1-5-18
In Work Hours: Yes

Logon Failure:
Reason: Unknown user name or bad password
User Name: xxxxxxx
Domain: LAPTOP21
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LAPTOP21
Caller User Name: N/A
Caller Domain: N/A
Caller Logon ID: N/A
Caller Process ID: N/A
Transited Services: N/A
Source Network Address: N/A
Source Port: N/A

I am using windump and can look at the logs in Ethereal, but there are
so many entries, I don't know what to took for. I see many outside
addresses accessing. How do I know if it's the "bad" guy or not?

I am also using a tool that tells me when files have been changed, and
it it keeps telling me that people are accessing nsiislog.dll,
iisstart.asp, doing CONNECTs and GETs. They never come from the same
IP address, and WHOIS shows they are coming from China, AU, San
Francisco. I don't think we use IISstart.asp. Is this the hole?

Here's a sample of that:
ClientHost: 211.162.68.69
Username:
ServerIP: 192.168.1.1
ProcessingTime: 219
BytesRecvd: 29
BytesSent: 0
ServiceStatus: 500
Win32Status: 126
Operation: GET
Target: /scripts/nsiislog.dll
Parameters:

We are replacing our really old firewall ASAP. But I don't think the
firewall is what is letting them in. I read the MS security
whitepaper, and it's good, but doesn't tell me how to get them out of
my system.

Any suggestions?

Thanks again,
Anne

Steven L Umbach said:
You sound a litle vauge on your firewall protection. Hopefully you are using
a block all default rule and then allowing only authourized inbound traffic.
I would try to scan your network yourself from the outside or use a self
scan site such as http://scan.sygatetech.com/ if you can not do that right
away. You need to make sure other uneeded ports including port 445 are
closed. The fact that ALL your accounts are locked out tells me that either
someone enumerated your user accounts from the internet, from inside your
network, or possibly they gained access via Remote Desktop to a regular user
account and are now trying to gain a stronger foothold on the network. If
possible restrict access to port 3389 from only authorized public IP
addresses instead of "all". the strange computer you see probably is coming
from the internet, but could possibly [though probably unlikely] be an
internal attack from someome pluffing into your network. You may not be able
to to ping that computer but if you check the computer where the log entries
were found then possibly running nbtstat -r or arp -a may show an IP
address, but those entries do not stay in the cache long. Better yet examine
your firewall logs to see if you can pin down where these attacks are coming
from by comparing entries in the logs to failed logons to your computers
based on correlating times. You may also need to enable auditing of logon
events for at least failures on all of your computers to find out where
these attacks are coming from. You can scan the security logs of multiple
computers using Event Comb from Microsoft. See the link below on where to
get it and tips for tracking down account lockout problems. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&displaylang=en

Anne Robynn said:
For the past week every morning at around the same time we get
attacked twice, a few hours apart. All our accounts are being locked
out. I figured we were under attack, but nothing I have done has kept
this hacker out, nor have the attacks dimminished.

I have searched for a solution everywhere including these newsgroups
here at groups.google.

Here's what I've got, and what I've done. I need suggestions on how to
stop these attacks.

What I've got:
1. 3 Servers both windows 2000, all with service pack 4
2. Two are DCs, one is a Citrix server. We are running exchange server
on one of the DCs.
3. I have a PIX firewall, all Netbios ports are closed. Pretty much
only what we need is open. 3389 is open for remote desktop... could
this be the problem?
4. We are running the AD, and force Kerberos authentication
5. account lockout is set at 3 bad logon attempts
6. I have the accounts locked out forever

What I've done:
1. I've installed an event log analyzer to help with event log
analysis and alerts. I have it notify me when lock outs occur, when
anyone accesses what they shouldn't, and when files are being
accessed.
2. I have the event log set large and doesn't overwrite its self
3. I see 629, 630, 681, you name it I got it.
4. I saw an NTVDM showing up on all the servers, so I disabled NTVDM
usages.
5. During the attacks, I see a machine name appear that is not one of
my own. I can't ping it, pstools can't identify it, I don't know how
to get it off the system.
6. are we really being attacked twice, or is the directory replicating
the lock outs while we are unlocking, causing both DC to show locked
out?
7. The guest account is disabled
8. Iwam Iusr, keep getting targeted too, why do I need these?
Exchange? Citrix?
9. I've scanned with LADS to check for alternate data streams.
10. I've scanned for files that shouldn't be there
11. I've disabled any accounts we don't need
12. I changed the admin password just to be sure

I can't turn off the Internet connection. Our work requires it.

I don't know what else to do. How do I keep them off? How do I tell if
they're even there and this isn't just a script running? How do I tell
where the script is and get it off? I don't know what else to lock
down.

Any help will be greatly appreciated.

Thank you,
Anne
Click to expand...
Click to expand...
 
Steven L Umbach said:
If possible restrict access
to port 3389 from only authorized public IP addresses instead of "all".
Click to expand...


I would recommend closing 3389 altogether and implementing the Citrix Secure
Gateway to stop users even getting to metaframe until they have been
authenticated. Much better to have a blackhat bring down a HTTPS server than
to lockout all of your accounts.
http://www.citrix.com/products/securegateway/

Andy.
 
Are you offering a webserver and ftp server to users on the internet as per having
FTP and HTTP open? You did not mention that in your original post.If not you should
close those ports and disable the services. What tool told you that you that netbios
ports open and did it say open or not "stealthed" - as long as they are not open you
should be fine. I like to use the free Superscan 4.0 from Foundstone. I don't thing
the age of your firewall is that important as long as it has a default block all rule
for inbound with rules just for the needed exceptions for allowed inbound access.

How are you restricting kerberos only. As far as I know that is not possible? The
logon failure that you show could possibly be an unauthorized computer from inside
your network. For internet attacks what I would look for is patterns in the firewall
log that occur at the time that the logon failures are being recorded such as a
reoccurring IP address - maybe with that computername if you are lucky. Check to see
if any reoccurring attempts are trying to use ports 139 or 445 [file and print
sharing] or 21 FTP, 80 HTTP, 3389 RDP all tcp. If the failed logons are showing on
the same server, you may want to install Sygate personal firewall [free trial period]
on it and disable the firewall itself which will still allow it's extensive logging
including a traceback function. Just be sure to back up your server before installing
a persona firewall. Also you account lockout threshold is very low and should be at
least ten per Microsoft recommendations which will still provide protection against
hack attacks without also causing premature lockouts in certain situations.

I am not an expert on IIS by any means but I do know if you are using FTP and IIS you
need to run the IIS lockdown tool which will help stop malicious attacks on IIS [in
addition to being fully patched]. The link below shows you where to download the IIS
Lockdown tool. Just be sure to have a current backup of your IIS server including the
System State AND back up your IIS settings using the IIS Management Console where you
select the server/properties - backup and restore. --- Steve

http://www.microsoft.com/downloads/...c0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en
http://smb.sygate.com/products/pspf/pspf_ov.htm

Anne Robynn said:
Thanks for your suggestions.

The scan on the firewall showed on FTP, POP3 and HTTP open. But it was
strange, becaue when I used one tool it told me all the Netbios ports
(135, 137-139) were closed, but another scan told me they were open.
When I check the firewall its self, it shows that they are not open.
What's up with that?

Here is a sample of the audit log.

Notice the workstation name. It is not one of ours. Notice it says
NtLmSsp, but I went into the default domain policy and told it to only
accept Kerberos.

Event Origin Details:
User SID: S-1-5-18
In Work Hours: Yes

Logon Failure:
Reason: Unknown user name or bad password
User Name: xxxxxxx
Domain: LAPTOP21
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LAPTOP21
Caller User Name: N/A
Caller Domain: N/A
Caller Logon ID: N/A
Caller Process ID: N/A
Transited Services: N/A
Source Network Address: N/A
Source Port: N/A

I am using windump and can look at the logs in Ethereal, but there are
so many entries, I don't know what to took for. I see many outside
addresses accessing. How do I know if it's the "bad" guy or not?

I am also using a tool that tells me when files have been changed, and
it it keeps telling me that people are accessing nsiislog.dll,
iisstart.asp, doing CONNECTs and GETs. They never come from the same
IP address, and WHOIS shows they are coming from China, AU, San
Francisco. I don't think we use IISstart.asp. Is this the hole?

Here's a sample of that:
ClientHost: 211.162.68.69
Username:
ServerIP: 192.168.1.1
ProcessingTime: 219
BytesRecvd: 29
BytesSent: 0
ServiceStatus: 500
Win32Status: 126
Operation: GET
Target: /scripts/nsiislog.dll
Parameters:

We are replacing our really old firewall ASAP. But I don't think the
firewall is what is letting them in. I read the MS security
whitepaper, and it's good, but doesn't tell me how to get them out of
my system.

Any suggestions?

Thanks again,
Anne

"Steven L Umbach" <[email protected]> wrote in message
You sound a litle vauge on your firewall protection. Hopefully you are using
a block all default rule and then allowing only authourized inbound traffic.
I would try to scan your network yourself from the outside or use a self
scan site such as http://scan.sygatetech.com/ if you can not do that right
away. You need to make sure other uneeded ports including port 445 are
closed. The fact that ALL your accounts are locked out tells me that either
someone enumerated your user accounts from the internet, from inside your
network, or possibly they gained access via Remote Desktop to a regular user
account and are now trying to gain a stronger foothold on the network. If
possible restrict access to port 3389 from only authorized public IP
addresses instead of "all". the strange computer you see probably is coming
from the internet, but could possibly [though probably unlikely] be an
internal attack from someome pluffing into your network. You may not be able
to to ping that computer but if you check the computer where the log entries
were found then possibly running nbtstat -r or arp -a may show an IP
address, but those entries do not stay in the cache long. Better yet examine
your firewall logs to see if you can pin down where these attacks are coming
from by comparing entries in the logs to failed logons to your computers
based on correlating times. You may also need to enable auditing of logon
events for at least failures on all of your computers to find out where
these attacks are coming from. You can scan the security logs of multiple
computers using Event Comb from Microsoft. See the link below on where to
get it and tips for tracking down account lockout problems. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&displaylang=en

Anne Robynn said:
For the past week every morning at around the same time we get
attacked twice, a few hours apart. All our accounts are being locked
out. I figured we were under attack, but nothing I have done has kept
this hacker out, nor have the attacks dimminished.

I have searched for a solution everywhere including these newsgroups
here at groups.google.

Here's what I've got, and what I've done. I need suggestions on how to
stop these attacks.

What I've got:
1. 3 Servers both windows 2000, all with service pack 4
2. Two are DCs, one is a Citrix server. We are running exchange server
on one of the DCs.
3. I have a PIX firewall, all Netbios ports are closed. Pretty much
only what we need is open. 3389 is open for remote desktop... could
this be the problem?
4. We are running the AD, and force Kerberos authentication
5. account lockout is set at 3 bad logon attempts
6. I have the accounts locked out forever

What I've done:
1. I've installed an event log analyzer to help with event log
analysis and alerts. I have it notify me when lock outs occur, when
anyone accesses what they shouldn't, and when files are being
accessed.
2. I have the event log set large and doesn't overwrite its self
3. I see 629, 630, 681, you name it I got it.
4. I saw an NTVDM showing up on all the servers, so I disabled NTVDM
usages.
5. During the attacks, I see a machine name appear that is not one of
my own. I can't ping it, pstools can't identify it, I don't know how
to get it off the system.
6. are we really being attacked twice, or is the directory replicating
the lock outs while we are unlocking, causing both DC to show locked
out?
7. The guest account is disabled
8. Iwam Iusr, keep getting targeted too, why do I need these?
Exchange? Citrix?
9. I've scanned with LADS to check for alternate data streams.
10. I've scanned for files that shouldn't be there
11. I've disabled any accounts we don't need
12. I changed the admin password just to be sure

I can't turn off the Internet connection. Our work requires it.

I don't know what else to do. How do I keep them off? How do I tell if
they're even there and this isn't just a script running? How do I tell
where the script is and get it off? I don't know what else to lock
down.

Any help will be greatly appreciated.

Thank you,
Anne
Click to expand...
Click to expand...
Click to expand...
 
Back
Top