hacking from Terminal services or some other means

[scott]

Our mail server is running Windows 2000 server. When I
look in the event viewer, I see many failed logon
attempts. The attempts were made to all the user ids in
the system, even the ones that we have disabled but left
in as a user. Apparently, the hacker can see the list of
users.

I have loaded zone alarm on the computer, but it doesn't
help, I still see the hacker trying the get in. The
hacker seems to have a program that runs every 3 minutes
or so to try to get in.

What should I do? Is there any way to tell who the user
is, or how to counteract this hacking?

I don't want to lockout accounts after failed attempts,
because then I will be locked out of getting into the mail
server as well. Below are examples of 2 events out of the
event log.

Event ID: 1006
The terminal server received large number of incomplete
connections. The system may be under attack.

Event ID: 681
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: DANIELKASSIM
failed. The error code was: 3221225578


Any ideas?
Gratefully,
Scott

 

[Jack Seredyniecki]

The first thing would be to disable terminal services for world access - you
should only allow it via VPN.
Obviously, since they already have a list of users, Zone Alarm was
implemented after the fact and it won't do much against that specific user.
Don't rule out someone who works for your company and has access to the list
of users on a daily basis. Let me take a shot in the dark here and say the
the *hacker's* name is Daniel Kassim - can you think of anyone with that
name?

 

[wutsitallabout]

Try using an additional firewall as well perhaps. Someone
on this list suggested www.Sygate.com. I am using it
along with Zone Alarm and I like it's features better than
zone. You can see much better what's going on and have
more control.

Good Luck

 

[Steven Umbach]

Hi Scott. You would have to do that with your firewall rules. For instance to
configure a firewall for Terminal Services from a particular ip address the rule
would be something like -- inbound/source port any, destination port 3389,
protocol tcp, source ip address xxx.xxx.xxx.xxx, destination ip address - mine,
allow. The terminology may differ a bit from firewall to firewall. --- Steve

Steve, Jack, and Wutsitallabout,
Thank you for all your suggestions!! It has been very
helpful!

Could I bother to ask you one other question?
Where would I go to configure the ports to accept certain
IP addresses? Would this be in the Network settings under
TCP/IP? I see that I can do something with the ports
there, but I'm not quite sure if that is the right spot.
Could you confirm?
Thanks so much!!
Scott

-----Original Message-----
Zone Alarm is OK for personal computers, but I would use something more
configurable for a server, preferably a hardware device where you would open
only needed inbound access ports for mail, probably port 25 tcp for smtp and tcp
port 3389 for Terminal Services remote administration. Netgear sells a true SPI
firewall router for $80 that would be good for home a small office type
situations. If you insist on staying with a personal firewall, I like Kerio
though Sygate has better logging features. Either one could tell you the ip
address where the attacks are coming from and if it is one particular ip, you
could create a block rule and be done with it. You might want to go to
http://scan.sygatetech.com/ and check you basic firewall vulnerability. Usually
user/group information is obtained from tcp port 139, 445 being open to the
internet. If you are going to use Terminal Services for remote administration,
try to configure inbound firewall rule for tcp 3389 to accept traffic only from
a particular ip address or ip address range that you would be using for access.
I would still enable an account lockout policy [use threshold of ten] and change
the name of the administrator account. The administrator account can not be
locked out [unless Passprop is used to enable network lockout], and regular user
accounts would not be locked out from a user trying Terminal Services remote
administrations since they do not have permissions to RDP. --- Steve

http://www.netgear.com/products/prod_details.asp? prodID=140&view=

Our mail server is running Windows 2000 server. When I
look in the event viewer, I see many failed logon
attempts. The attempts were made to all the user ids in
the system, even the ones that we have disabled but left
in as a user. Apparently, the hacker can see the list of
users.

I have loaded zone alarm on the computer, but it doesn't
help, I still see the hacker trying the get in. The
hacker seems to have a program that runs every 3 minutes
or so to try to get in.

What should I do? Is there any way to tell who the user
is, or how to counteract this hacking?

I don't want to lockout accounts after failed attempts,
because then I will be locked out of getting into the mail
server as well. Below are examples of 2 events out of the
event log.

Event ID: 1006
The terminal server received large number of incomplete
connections. The system may be under attack.

Event ID: 681
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: DANIELKASSIM
failed. The error code was: 3221225578


Any ideas?
Gratefully,
Scott

.

 

[Stefan Berglund]

On Wed, 17 Sep 2003 15:43:47 GMT, "Steven Umbach"

Hi Scott. You would have to do that with your firewall rules. For instance to
configure a firewall for Terminal Services from a particular ip address the rule
would be something like -- inbound/source port any, destination port 3389,
protocol tcp, source ip address xxx.xxx.xxx.xxx, destination ip address - mine,
allow. The terminology may differ a bit from firewall to firewall. --- Steve

Using Kerio personal firewall and LinkSys BEFSX41 (will probably
change to NetGear FR114P for better logging and the print
server).

How can I safely have my SQL Server talk to only one other SQL
Server on the web.

I used to use ZA and had it configured to only allow the IP of
the Web SQL Server but it seems that with IP spoofing it might be
possible to fool ZA.

Nothing is open on the LinkSys but forwarding port 1434 to my SQL
Server.

 

[Steven L Umbach]

I don't know about the FR114P, but I personally use a Netgear FVS318 at home. What I
like about it is that it is a low priced device that unlike the Linksys is a true SPI
firewall. It also allows me to port forward to a computer on my lan from a specific
ip address on the internet, which a lot of the lower priced devices do not. If the
FR114P can do the same thing, I think you will be in good shape to limit traffic to
your SQL server from a particular address. Be sure to download and read the manual
for the FR114P before purchasing. Kerio can also log traffic to your computer based
which would be a help to see what is going on. --- Steve

 

[Stefan Berglund]

On Thu, 18 Sep 2003 05:24:09 GMT, "Steven L Umbach"

I don't know about the FR114P, but I personally use a Netgear FVS318 at home. What I
like about it is that it is a low priced device that unlike the Linksys is a true SPI
firewall. It also allows me to port forward to a computer on my lan from a specific
ip address on the internet, which a lot of the lower priced devices do not. If the
FR114P can do the same thing, I think you will be in good shape to limit traffic to
your SQL server from a particular address. Be sure to download and read the manual
for the FR114P before purchasing. Kerio can also log traffic to your computer based
which would be a help to see what is going on. --- Steve

I thought since you have a link to it in several of your posts
that you were recommending it <g>

<[email protected]>

After comparing the product sheets for both, the FVS318 appears
to have more security features and certainly has more features
that I'm unfamiliar with - looks like it's probably a better
firewall and it's only $40 more (depending on where you shop).
And that's exactly what I was looking for - to be able to port
forward from a specific Internet IP address to a specific box on
my LAN.

It's unfortunate that Linksys gets to claim that they're using
SPI. And they forgot to include 24:00 making it impossible to
close everything at midnight. Nor can a time filter start before
midnight and end after midnight.

Kerio seems to be a big improvement over ZoneAlarm. I believe I
had some sort of kernel mode trojan because neither NAV nor
F-Prot could find anything yet my boxes were all over the
Internet. I downloaded SP4 and all the hotfixes and patches and
then flattened the boxes and added Kerio before ever seeing the
Internet. It was a bit of a learning curve but I'm sleeping
better now. <g>

Thanks for all the good advice you dispense in this group.