• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 471
  • Last Modified:

Hacker enables Winnt4.0 Guest account and assign Administrator right !!!!!

Hello everyone,

I have a serious trouble.

The school server (Winnt4.0 sp6) security log displays that the "Guest" account has been enabled and join "Domain Admin", "Domain Guest" and "Administrator" group.

The log displays that the activity is taken in the midnight, and the "NT AUTHORITY\SYSTEM" is showed in the user field in the log.

I change the password, disable account, remove the admin group and disallow logon all of times.  However, this event occur again.

I assume that a hacker attack the server.

1. How can i prevent this event?
2. How can i check the system whether is inflected by any virus (Torjan Horse)?
3. Where can i get more useful infor. to solve it and improve the server secure?

I amd looking forward to receiving your reply.
Thank you for your attention.


Frank White
0
frank_white
Asked:
frank_white
  • 7
  • 4
  • 3
  • +5
3 Solutions
 
frank_whiteAuthor Commented:
Serious security problems about winnt
0
 
ShadowWarrior111Commented:
1. How can i prevent this event?
To prevent this from happening again, download all the latest patch for WinNT. There is a new Service Pack for WinNT featuring high encryption (SP6 high encryption version).

2. How can i check the system whether is inflected by any virus (Torjan Horse)?
Update the server antivirus virus definition and then run a full scan on the server.

3. Where can i get more useful infor. to solve it and improve the server secure?
This is a very hard question. First of all, you must know more about network security, and you should get a book about this. For more info, go to google and search network security. Btw, you can go to http://www.neworder.box/ . Next, install a firewall software on the server so that it can block any malicious incoming and outgoing packet.
0
 
Ghost_HackerCommented:
Securing your server depends on what type of services it provides, so you proably won't get a detailed answer here but just some general things to do. (post more deatils for better answers :-) _


I would recommend the Hacking Exposed series of books. They breakdown securing a varity of operating systems and the service you might find running on them. But don't stop there, as Shadowwarrior111 suggested, do a look on Goggle for more information pertaining to your OS and services. Of course there are more books to read too, if you wish to get VERY good at this. (otherwise don't bother, not everyone cares to be a security guy :-) )


If you still think a trojan is running wild on your system. I would recommend rebuilding it and securing it from scratch. (This might not even be worth doing depending on your circumstances)


Good Luck :-)
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
adownsCommented:
Another way to possibly eliminate this in the future would be to simply rename the guest account to something else.

-Andrew
0
 
protofjCommented:
short term solution until firewall etc is available......

is it possible to physically unplug the remote access (telephone line or whatever) at night?

I assume that as a school your local terminals are secure at night.



0
 
craigtinCommented:
You might check to see if you allow incoming ras calls on that line.  If so remove the dial-in right for all non-essential users.  Further you can stop the FTP server, telnetd and SNMP (unless you really use it).  
If you use IIS then move the folders to a directory on a different partition and secure the application.
Finally use the NSA guide to secure the system directories and registry.
0
 
frank_whiteAuthor Commented:
Thank you for all above answering.

More info.

1. The Winnt4.0 Server act as File server and PDC only, no another service open( ftp, IIS, telnet... ).

2. Winnt4.0 SP6 High encryption & NAV 8.0 has been installed( Lastest virus defination installed), and no virus found.

3. Computer room will be closed before the school closed.

4. The server has been install the lastest patch.
0
 
TheTechManCommented:
Install Network Monitor Drive from the Network control panel and run a capture when you leave (located on the NT disk under support\drivers\net I believe).  The next day, review the log and check to see if anyone is logging in remotely to add this access and figure what IP it is if this is the problem.  Also, change your Administrator password after you remove the guest user from the admin groups.  Thirdly, do you run WinVNC, pcAnywhere, or some other remote control software?  Change that password too.  Fourth, check the Administrators group and the Domain Admins group for any other users that might have administrative access unneccessarily.

As far as securing the server, do check google according to ShadowWarrior111's comments.

Good luck!

Tech

* "Help...  it's not easy, but it comes back around when you need it!"
0
 
ShadowWarrior111Commented:
Change all the user and admin password on the server. As the server doesn't run ftp, IIS, and telnet services, the hacker may have left a backdoor open on the server.
Check the server security policy to make sure no malicious changes is done on the policy.
0
 
frank_whiteAuthor Commented:
Thank you for all Experts experience.

I have changed all the admin group password and install "netowrk monitor tools" and apply other security issues to imporve the server security.

I have one more question. How can i know that the server is interception by others. ( except check log )

Thank you very much




0
 
ShadowWarrior111Commented:
Except from checking the log file, it's very hard to check whether the server is intercept by others or not. Some monitoring tools also log any suspicious connection from outside to the server. The other way is to install a firewall which will log all attempt of connection from inside or outside which passes throught the firewall.
0
 
Ghost_HackerCommented:
You might look into getting an IDS or intrusion detection system. This is one of the "monitoring tools" mentioned above.


Snort is one of the more popular ones and it's free. ( A Goolge search will take you to it, but it can be a little hard to setup for someone new to running an IDS.)
0
 
frank_whiteAuthor Commented:
Thank you above answering.

I am trying to install "Snort" into the linux 7.3 which act as a firewall.

Also, i have a question about using "Network Monitor Tools" in Winnt4.0 server.  I want to change all the Src/Dst address into the computer name(only local server IP and 1 Win2k workstation can be translated, eg.192.168.1.1-->Server1).

How can i do it?

Thank you for your attention.

Frank White
0
 
Ghost_HackerCommented:
I don't use NT's "sniffer", so I can't help you there. But this web site might:

http://www.windowsitlibrary.com/Content/113/03/toc.html


The freebie "sniffer" included with Windows is way too sparse for my taste. ( only the SMS version is even worth talking about )Instead a better free "sniffer" is Ethereal. Which can translate IP addresses to names and runs on both Windows and Linux. Also it can parse snort files if they are captured in tcpdump format. (or you can simply use Linux's TCPdump to capture network traffic.)
0
 
frank_whiteAuthor Commented:
Thank you for your answering.

I have some question about the "security log".
1. I see some log which is using "Advapi"(API call to logon user) at the 11:00 pm everynight.  I have check that there are no schedule programs run in this time (except ARCserve backup).
Is it any virus/program (Trojan) hiden in the server? I have checked and used removal tools to scan it, but it is not found.  The event log is showed below:
Date: 17/03/03               Event ID: 529
Time: 23:00:10               Source:   Security
User: Nt authority\system    Type:Failure Audit
Computer: FILESERVER         Category: Logon/logoff

Logon Failure:
        Reason:         Unknown user name or bad password
        User Name:      Administrator
        Domain:         ITEDB02A
        Logon Type:     2
        Logon Process:  Advapi  
        Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Workstation Name:   FILESERVER
0
 
frank_whiteAuthor Commented:
I miss a question.

2. I want to secure the "IUSR_<<server>>" account, but i don't know which one is more suitable.
   a) Disable the IUSR account , Uncheck the "Allow Anonymous Access" in the IIS.
   b) Rename the IUSR, edit the "Anonymous User" in the IIS

*NOTE: IIS is installed in BDC, it also includes proxy server.

Thank you for your attention.

Frank White
0
 
Ghost_HackerCommented:
Well first I must point out that running IIS ,and proxy too for that matter, on a domain controller is one of the "no-no"s of Microsoft security. ( but you may have no choice depending on your circumstances).

Now,for the second question, I'll have to ask one.
Do you need anonymouse access? If not then I would uncheck that option and disable the "IUSR_" account.

If you do need it, then make sure that account (or whatever account you use for anonymous access)  does not have any NTFS rights to anything outside the web root directory. (check that it doesn't belone to any groups which might also give it access) Give that account access only to the subfolder within the Web root you wish it to see.


Now to the first question. The log entry points to a "logon type" of 2. This is an attempt at an "interactive" logon (IE: a console logon or"local" logon). Most scheduled programs are not set to use this type of logon, but you should check anyway.


But since you started this post with unexplained account management activity, there's a chance your looking at the "activity" that is responsible. These log entries proably started to show up when you changed the admin's name or password.


Since the "Advapi" process is listed  (used by IIS to impersonate a user), your seeing  someone trying to gain access to your computer via an IIS  basic (plaintext) login and not via a trojan or virus on our your computer.


In most case, If you really feel that trojans are loose on your system, you might think about a rebuild of the web server.


Good Luck :)
0
 
frank_whiteAuthor Commented:
Thank you for "Ghost_hacker" and all experts answering.

I have gain alot of window administrative knowledge and going to improving the server security.

Thank you !! (^0^)
 
0
 
CleanupPingCommented:
frank_white:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 7
  • 4
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now