frank_white
asked on
Hacker enables Winnt4.0 Guest account and assign Administrator right !!!!!
Hello everyone,
I have a serious trouble.
The school server (Winnt4.0 sp6) security log displays that the "Guest" account has been enabled and join "Domain Admin", "Domain Guest" and "Administrator" group.
The log displays that the activity is taken in the midnight, and the "NT AUTHORITY\SYSTEM" is showed in the user field in the log.
I change the password, disable account, remove the admin group and disallow logon all of times. However, this event occur again.
I assume that a hacker attack the server.
1. How can i prevent this event?
2. How can i check the system whether is inflected by any virus (Torjan Horse)?
3. Where can i get more useful infor. to solve it and improve the server secure?
I amd looking forward to receiving your reply.
Thank you for your attention.
Frank White
I have a serious trouble.
The school server (Winnt4.0 sp6) security log displays that the "Guest" account has been enabled and join "Domain Admin", "Domain Guest" and "Administrator" group.
The log displays that the activity is taken in the midnight, and the "NT AUTHORITY\SYSTEM" is showed in the user field in the log.
I change the password, disable account, remove the admin group and disallow logon all of times. However, this event occur again.
I assume that a hacker attack the server.
1. How can i prevent this event?
2. How can i check the system whether is inflected by any virus (Torjan Horse)?
3. Where can i get more useful infor. to solve it and improve the server secure?
I amd looking forward to receiving your reply.
Thank you for your attention.
Frank White
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another way to possibly eliminate this in the future would be to simply rename the guest account to something else.
-Andrew
-Andrew
short term solution until firewall etc is available......
is it possible to physically unplug the remote access (telephone line or whatever) at night?
I assume that as a school your local terminals are secure at night.
is it possible to physically unplug the remote access (telephone line or whatever) at night?
I assume that as a school your local terminals are secure at night.
You might check to see if you allow incoming ras calls on that line. If so remove the dial-in right for all non-essential users. Further you can stop the FTP server, telnetd and SNMP (unless you really use it).
If you use IIS then move the folders to a directory on a different partition and secure the application.
Finally use the NSA guide to secure the system directories and registry.
If you use IIS then move the folders to a directory on a different partition and secure the application.
Finally use the NSA guide to secure the system directories and registry.
ASKER
Thank you for all above answering.
More info.
1. The Winnt4.0 Server act as File server and PDC only, no another service open( ftp, IIS, telnet... ).
2. Winnt4.0 SP6 High encryption & NAV 8.0 has been installed( Lastest virus defination installed), and no virus found.
3. Computer room will be closed before the school closed.
4. The server has been install the lastest patch.
More info.
1. The Winnt4.0 Server act as File server and PDC only, no another service open( ftp, IIS, telnet... ).
2. Winnt4.0 SP6 High encryption & NAV 8.0 has been installed( Lastest virus defination installed), and no virus found.
3. Computer room will be closed before the school closed.
4. The server has been install the lastest patch.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Change all the user and admin password on the server. As the server doesn't run ftp, IIS, and telnet services, the hacker may have left a backdoor open on the server.
Check the server security policy to make sure no malicious changes is done on the policy.
Check the server security policy to make sure no malicious changes is done on the policy.
ASKER
Thank you for all Experts experience.
I have changed all the admin group password and install "netowrk monitor tools" and apply other security issues to imporve the server security.
I have one more question. How can i know that the server is interception by others. ( except check log )
Thank you very much
I have changed all the admin group password and install "netowrk monitor tools" and apply other security issues to imporve the server security.
I have one more question. How can i know that the server is interception by others. ( except check log )
Thank you very much
Except from checking the log file, it's very hard to check whether the server is intercept by others or not. Some monitoring tools also log any suspicious connection from outside to the server. The other way is to install a firewall which will log all attempt of connection from inside or outside which passes throught the firewall.
You might look into getting an IDS or intrusion detection system. This is one of the "monitoring tools" mentioned above.
Snort is one of the more popular ones and it's free. ( A Goolge search will take you to it, but it can be a little hard to setup for someone new to running an IDS.)
Snort is one of the more popular ones and it's free. ( A Goolge search will take you to it, but it can be a little hard to setup for someone new to running an IDS.)
ASKER
Thank you above answering.
I am trying to install "Snort" into the linux 7.3 which act as a firewall.
Also, i have a question about using "Network Monitor Tools" in Winnt4.0 server. I want to change all the Src/Dst address into the computer name(only local server IP and 1 Win2k workstation can be translated, eg.192.168.1.1-->Server1).
How can i do it?
Thank you for your attention.
Frank White
I am trying to install "Snort" into the linux 7.3 which act as a firewall.
Also, i have a question about using "Network Monitor Tools" in Winnt4.0 server. I want to change all the Src/Dst address into the computer name(only local server IP and 1 Win2k workstation can be translated, eg.192.168.1.1-->Server1).
How can i do it?
Thank you for your attention.
Frank White
I don't use NT's "sniffer", so I can't help you there. But this web site might:
http://www.windowsitlibrary.com/Content/113/03/toc.html
The freebie "sniffer" included with Windows is way too sparse for my taste. ( only the SMS version is even worth talking about )Instead a better free "sniffer" is Ethereal. Which can translate IP addresses to names and runs on both Windows and Linux. Also it can parse snort files if they are captured in tcpdump format. (or you can simply use Linux's TCPdump to capture network traffic.)
http://www.windowsitlibrary.com/Content/113/03/toc.html
The freebie "sniffer" included with Windows is way too sparse for my taste. ( only the SMS version is even worth talking about )Instead a better free "sniffer" is Ethereal. Which can translate IP addresses to names and runs on both Windows and Linux. Also it can parse snort files if they are captured in tcpdump format. (or you can simply use Linux's TCPdump to capture network traffic.)
ASKER
Thank you for your answering.
I have some question about the "security log".
1. I see some log which is using "Advapi"(API call to logon user) at the 11:00 pm everynight. I have check that there are no schedule programs run in this time (except ARCserve backup).
Is it any virus/program (Trojan) hiden in the server? I have checked and used removal tools to scan it, but it is not found. The event log is showed below:
Date: 17/03/03 Event ID: 529
Time: 23:00:10 Source: Security
User: Nt authority\system Type:Failure Audit
Computer: FILESERVER Category: Logon/logoff
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: ITEDB02A
Logon Type: 2
Logon Process: Advapi
Authentication Package:
MICROSOFT_AUTHENTICATION_P
Workstation Name: FILESERVER
I have some question about the "security log".
1. I see some log which is using "Advapi"(API call to logon user) at the 11:00 pm everynight. I have check that there are no schedule programs run in this time (except ARCserve backup).
Is it any virus/program (Trojan) hiden in the server? I have checked and used removal tools to scan it, but it is not found. The event log is showed below:
Date: 17/03/03 Event ID: 529
Time: 23:00:10 Source: Security
User: Nt authority\system Type:Failure Audit
Computer: FILESERVER Category: Logon/logoff
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: ITEDB02A
Logon Type: 2
Logon Process: Advapi
Authentication Package:
MICROSOFT_AUTHENTICATION_P
Workstation Name: FILESERVER
ASKER
I miss a question.
2. I want to secure the "IUSR_<<server>>" account, but i don't know which one is more suitable.
a) Disable the IUSR account , Uncheck the "Allow Anonymous Access" in the IIS.
b) Rename the IUSR, edit the "Anonymous User" in the IIS
*NOTE: IIS is installed in BDC, it also includes proxy server.
Thank you for your attention.
Frank White
2. I want to secure the "IUSR_<<server>>" account, but i don't know which one is more suitable.
a) Disable the IUSR account , Uncheck the "Allow Anonymous Access" in the IIS.
b) Rename the IUSR, edit the "Anonymous User" in the IIS
*NOTE: IIS is installed in BDC, it also includes proxy server.
Thank you for your attention.
Frank White
Well first I must point out that running IIS ,and proxy too for that matter, on a domain controller is one of the "no-no"s of Microsoft security. ( but you may have no choice depending on your circumstances).
Now,for the second question, I'll have to ask one.
Do you need anonymouse access? If not then I would uncheck that option and disable the "IUSR_" account.
If you do need it, then make sure that account (or whatever account you use for anonymous access) does not have any NTFS rights to anything outside the web root directory. (check that it doesn't belone to any groups which might also give it access) Give that account access only to the subfolder within the Web root you wish it to see.
Now to the first question. The log entry points to a "logon type" of 2. This is an attempt at an "interactive" logon (IE: a console logon or"local" logon). Most scheduled programs are not set to use this type of logon, but you should check anyway.
But since you started this post with unexplained account management activity, there's a chance your looking at the "activity" that is responsible. These log entries proably started to show up when you changed the admin's name or password.
Since the "Advapi" process is listed (used by IIS to impersonate a user), your seeing someone trying to gain access to your computer via an IIS basic (plaintext) login and not via a trojan or virus on our your computer.
In most case, If you really feel that trojans are loose on your system, you might think about a rebuild of the web server.
Good Luck :)
Now,for the second question, I'll have to ask one.
Do you need anonymouse access? If not then I would uncheck that option and disable the "IUSR_" account.
If you do need it, then make sure that account (or whatever account you use for anonymous access) does not have any NTFS rights to anything outside the web root directory. (check that it doesn't belone to any groups which might also give it access) Give that account access only to the subfolder within the Web root you wish it to see.
Now to the first question. The log entry points to a "logon type" of 2. This is an attempt at an "interactive" logon (IE: a console logon or"local" logon). Most scheduled programs are not set to use this type of logon, but you should check anyway.
But since you started this post with unexplained account management activity, there's a chance your looking at the "activity" that is responsible. These log entries proably started to show up when you changed the admin's name or password.
Since the "Advapi" process is listed (used by IIS to impersonate a user), your seeing someone trying to gain access to your computer via an IIS basic (plaintext) login and not via a trojan or virus on our your computer.
In most case, If you really feel that trojans are loose on your system, you might think about a rebuild of the web server.
Good Luck :)
ASKER
Thank you for "Ghost_hacker" and all experts answering.
I have gain alot of window administrative knowledge and going to improving the server security.
Thank you !! (^0^)
I have gain alot of window administrative knowledge and going to improving the server security.
Thank you !! (^0^)
frank_white:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
ASKER