Hacker queries

  • Thread starter Thread starter William A. Sempf
  • Start date Start date
W

William A. Sempf

Hi, everyone. Don't usually frequent this group, hope you don't mind me
barging in.

A client has a Windows 2000 web server that is patched on time, every time.
One week ago, the Security log started showing someone attempting a login on
all users accounts, 30 times each, and failing.

Obviously, someone got the user list. I am assuming they used a badly coded
web page to access a username with XSS, then got into the registry from
there. Question is, what can I do about it?

Thanks in advance for any input you have.
 
Hi William. Make sure he is using a properly configured firewall blocking all inbound
ports by default and then creating exception rules for inbound services provided.
Possible this info was obtained via ports 139 or 445. File and print sharing needs to
be uninstalled on the external nic if not done so. In general the machine needs to be
checked that it is hardened properly with correct ntfs permissions and minimum
services. TechNet has specific recommendations on securing a web server. Find out if
he has run the IIS lockdown tool on it from Microsoft that includes URL Scan also. If
he has not used it, make sure he backs up his IIS configuration in IIS Management
Console and at least backs up the System State also before doing such. I would also
suggest posting in the IIS.security newsgroup. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;325864
 
If the ID's that were being targeted are admin accounts then you were most likely being hit by MUMU virus. It enumerates
the admin accounts on a machine and then attempts to authenticate to them with a list of passwords.
 
Back
Top