Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Hacker enables Winnt4.0 Guest account and assign Administrator right !!!!!

Posted on 2003-03-10
21
Medium Priority
?
466 Views
Last Modified: 2013-12-04
Hello everyone,

I have a serious trouble.

The school server (Winnt4.0 sp6) security log displays that the "Guest" account has been enabled and join "Domain Admin", "Domain Guest" and "Administrator" group.

The log displays that the activity is taken in the midnight, and the "NT AUTHORITY\SYSTEM" is showed in the user field in the log.

I change the password, disable account, remove the admin group and disallow logon all of times.  However, this event occur again.

I assume that a hacker attack the server.

1. How can i prevent this event?
2. How can i check the system whether is inflected by any virus (Torjan Horse)?
3. Where can i get more useful infor. to solve it and improve the server secure?

I amd looking forward to receiving your reply.
Thank you for your attention.


Frank White
0
Comment
Question by:frank_white
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +5
21 Comments
 

Author Comment

by:frank_white
ID: 8107685
Serious security problems about winnt
0
 
LVL 3

Accepted Solution

by:
ShadowWarrior111 earned 100 total points
ID: 8108865
1. How can i prevent this event?
To prevent this from happening again, download all the latest patch for WinNT. There is a new Service Pack for WinNT featuring high encryption (SP6 high encryption version).

2. How can i check the system whether is inflected by any virus (Torjan Horse)?
Update the server antivirus virus definition and then run a full scan on the server.

3. Where can i get more useful infor. to solve it and improve the server secure?
This is a very hard question. First of all, you must know more about network security, and you should get a book about this. For more info, go to google and search network security. Btw, you can go to http://www.neworder.box/ . Next, install a firewall software on the server so that it can block any malicious incoming and outgoing packet.
0
 
LVL 4

Assisted Solution

by:Ghost_Hacker
Ghost_Hacker earned 100 total points
ID: 8111351
Securing your server depends on what type of services it provides, so you proably won't get a detailed answer here but just some general things to do. (post more deatils for better answers :-) _


I would recommend the Hacking Exposed series of books. They breakdown securing a varity of operating systems and the service you might find running on them. But don't stop there, as Shadowwarrior111 suggested, do a look on Goggle for more information pertaining to your OS and services. Of course there are more books to read too, if you wish to get VERY good at this. (otherwise don't bother, not everyone cares to be a security guy :-) )


If you still think a trojan is running wild on your system. I would recommend rebuilding it and securing it from scratch. (This might not even be worth doing depending on your circumstances)


Good Luck :-)
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 1

Expert Comment

by:adowns
ID: 8111415
Another way to possibly eliminate this in the future would be to simply rename the guest account to something else.

-Andrew
0
 

Expert Comment

by:protofj
ID: 8112258
short term solution until firewall etc is available......

is it possible to physically unplug the remote access (telephone line or whatever) at night?

I assume that as a school your local terminals are secure at night.



0
 
LVL 1

Expert Comment

by:craigtin
ID: 8113315
You might check to see if you allow incoming ras calls on that line.  If so remove the dial-in right for all non-essential users.  Further you can stop the FTP server, telnetd and SNMP (unless you really use it).  
If you use IIS then move the folders to a directory on a different partition and secure the application.
Finally use the NSA guide to secure the system directories and registry.
0
 

Author Comment

by:frank_white
ID: 8116266
Thank you for all above answering.

More info.

1. The Winnt4.0 Server act as File server and PDC only, no another service open( ftp, IIS, telnet... ).

2. Winnt4.0 SP6 High encryption & NAV 8.0 has been installed( Lastest virus defination installed), and no virus found.

3. Computer room will be closed before the school closed.

4. The server has been install the lastest patch.
0
 
LVL 3

Assisted Solution

by:TheTechMan
TheTechMan earned 100 total points
ID: 8116986
Install Network Monitor Drive from the Network control panel and run a capture when you leave (located on the NT disk under support\drivers\net I believe).  The next day, review the log and check to see if anyone is logging in remotely to add this access and figure what IP it is if this is the problem.  Also, change your Administrator password after you remove the guest user from the admin groups.  Thirdly, do you run WinVNC, pcAnywhere, or some other remote control software?  Change that password too.  Fourth, check the Administrators group and the Domain Admins group for any other users that might have administrative access unneccessarily.

As far as securing the server, do check google according to ShadowWarrior111's comments.

Good luck!

Tech

* "Help...  it's not easy, but it comes back around when you need it!"
0
 
LVL 3

Expert Comment

by:ShadowWarrior111
ID: 8116993
Change all the user and admin password on the server. As the server doesn't run ftp, IIS, and telnet services, the hacker may have left a backdoor open on the server.
Check the server security policy to make sure no malicious changes is done on the policy.
0
 

Author Comment

by:frank_white
ID: 8133344
Thank you for all Experts experience.

I have changed all the admin group password and install "netowrk monitor tools" and apply other security issues to imporve the server security.

I have one more question. How can i know that the server is interception by others. ( except check log )

Thank you very much




0
 
LVL 3

Expert Comment

by:ShadowWarrior111
ID: 8134069
Except from checking the log file, it's very hard to check whether the server is intercept by others or not. Some monitoring tools also log any suspicious connection from outside to the server. The other way is to install a firewall which will log all attempt of connection from inside or outside which passes throught the firewall.
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8135498
You might look into getting an IDS or intrusion detection system. This is one of the "monitoring tools" mentioned above.


Snort is one of the more popular ones and it's free. ( A Goolge search will take you to it, but it can be a little hard to setup for someone new to running an IDS.)
0
 

Author Comment

by:frank_white
ID: 8150191
Thank you above answering.

I am trying to install "Snort" into the linux 7.3 which act as a firewall.

Also, i have a question about using "Network Monitor Tools" in Winnt4.0 server.  I want to change all the Src/Dst address into the computer name(only local server IP and 1 Win2k workstation can be translated, eg.192.168.1.1-->Server1).

How can i do it?

Thank you for your attention.

Frank White
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8150909
I don't use NT's "sniffer", so I can't help you there. But this web site might:

http://www.windowsitlibrary.com/Content/113/03/toc.html


The freebie "sniffer" included with Windows is way too sparse for my taste. ( only the SMS version is even worth talking about )Instead a better free "sniffer" is Ethereal. Which can translate IP addresses to names and runs on both Windows and Linux. Also it can parse snort files if they are captured in tcpdump format. (or you can simply use Linux's TCPdump to capture network traffic.)
0
 

Author Comment

by:frank_white
ID: 8156037
Thank you for your answering.

I have some question about the "security log".
1. I see some log which is using "Advapi"(API call to logon user) at the 11:00 pm everynight.  I have check that there are no schedule programs run in this time (except ARCserve backup).
Is it any virus/program (Trojan) hiden in the server? I have checked and used removal tools to scan it, but it is not found.  The event log is showed below:
Date: 17/03/03               Event ID: 529
Time: 23:00:10               Source:   Security
User: Nt authority\system    Type:Failure Audit
Computer: FILESERVER         Category: Logon/logoff

Logon Failure:
        Reason:         Unknown user name or bad password
        User Name:      Administrator
        Domain:         ITEDB02A
        Logon Type:     2
        Logon Process:  Advapi  
        Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Workstation Name:   FILESERVER
0
 

Author Comment

by:frank_white
ID: 8156179
I miss a question.

2. I want to secure the "IUSR_<<server>>" account, but i don't know which one is more suitable.
   a) Disable the IUSR account , Uncheck the "Allow Anonymous Access" in the IIS.
   b) Rename the IUSR, edit the "Anonymous User" in the IIS

*NOTE: IIS is installed in BDC, it also includes proxy server.

Thank you for your attention.

Frank White
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8158908
Well first I must point out that running IIS ,and proxy too for that matter, on a domain controller is one of the "no-no"s of Microsoft security. ( but you may have no choice depending on your circumstances).

Now,for the second question, I'll have to ask one.
Do you need anonymouse access? If not then I would uncheck that option and disable the "IUSR_" account.

If you do need it, then make sure that account (or whatever account you use for anonymous access)  does not have any NTFS rights to anything outside the web root directory. (check that it doesn't belone to any groups which might also give it access) Give that account access only to the subfolder within the Web root you wish it to see.


Now to the first question. The log entry points to a "logon type" of 2. This is an attempt at an "interactive" logon (IE: a console logon or"local" logon). Most scheduled programs are not set to use this type of logon, but you should check anyway.


But since you started this post with unexplained account management activity, there's a chance your looking at the "activity" that is responsible. These log entries proably started to show up when you changed the admin's name or password.


Since the "Advapi" process is listed  (used by IIS to impersonate a user), your seeing  someone trying to gain access to your computer via an IIS  basic (plaintext) login and not via a trojan or virus on our your computer.


In most case, If you really feel that trojans are loose on your system, you might think about a rebuild of the web server.


Good Luck :)
0
 

Author Comment

by:frank_white
ID: 8171866
Thank you for "Ghost_hacker" and all experts answering.

I have gain alot of window administrative knowledge and going to improving the server security.

Thank you !! (^0^)
 
0
 

Expert Comment

by:CleanupPing
ID: 9070749
frank_white:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
OfficeMate Freezes on login or does not load after login credentials are input.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question